Readaloo

Just the good stuff

Filed under: technoloy

OnStar Spying On Customers’ GPS Location For Profit

by Jonathan Zdziarski

I canceled the OnStar subscription on my new GMC vehicle today after receiving an email from the company about their new terms and conditions. While most people, I imagine, would hit the delete button when receiving something as exciting as new terms and conditions, being the nerd sort, I decided to have a personal drooling session and read it instead. I’m glad I did. OnStar’s latest T&C has some very unsettling updates to it, which include the ability to sell your personal GPS location information, speed, safety belt usage, and other information to third parties, including law enforcement. To add insult to a slap in the face, the company insists they will continue collecting and selling this personal information even after you cancel your service, unless you specifically shut down the data connection to the vehicle after canceling.

 

The complete update can be found here. Not surprisingly, I even had to scrub the link as it included my vehicle’s VIN number, to tell OnStar just what customers were actually reading the new terms and conditions.

The first section explains the information that’s collected from the vehicle. No big deal. Sounds rather innocuous and boring. I imagine most people probably drool out and close the window by the time they get this far. Your contact information, billing information, etc. is collected. Nobody cares about tire pressure and crash information being collected – after all, that’s what OnStar is there for. Toward the end, you’ll read about how GPS data is collected, including vehicle speed and seat belt status. Again, in an emergency, this is very useful and most customers want an emergency services business to collect this information - when necessary. And the old 2010 terms and conditions only allowed OnStar to collect this information for legitimate purposes, such as recovering a stolen vehicle, or when needed to provide other OnStar services to customers on demand. As you scroll down the list of information collected, you see that once you get past important emergency services(what we pay OnStar for), OnStar now has given themselves the right to also use this information to stuff their pockets. OnStar has granted themselves the right to collect this information “for any purpose, at any time, provided that following collection of such location and speed information identifiable to your Vehicle, it is shared only on an anonymized basis.” – This provides carte blanche authority for OnStar to now track and collect information about your current GPS position and speed any time and anywhere, instead of only in the rare, limited circumstances the old contract outlined.

Anonymized GPS data? There’s no such thing! We’ve all seen this before – anonymized searches, for example, that were not-so-quite anonymized. But in this case, it’s impossible to anonymize GPS data! If your vehicle is consistently parked at your home, driving down your driveway, or taking a left or right turn onto your street, its pretty obvious that this is where you live! It’s like trying to say that someone’s Google Map lookup from their home is “anonymized” because it doesn’t have their name on it. It still shows where they live! What’s unique even more-so to OnStar is that the data they claim they sell as part of their business model is useless unless it’s specific; that is, not diluted to the nearest 10 mile radius, etc. This combination of analytics, and their prospective customers (law enforcement, marketers, etc) requires the data be disturbingly precise. Anyone armed with Google can easily do a phone book or public records search to find the name and address that resides at any given GPS coordinate.

So the GPS location of your vehicle and your vehicle’s speed are likely going to be collected by OnStar and sold to third parties. What kind of companies are interested in this data? OnStar would have you believe that respectable agencies, like departments of transportation and  various law enforcement agencies (for purposes of “public safety or traffic services” – A.K.A ticket writing). I can imagine this data COULD be used for good, to create traffic based analytics to improve future road construction or even emergency response. But given that those types of decisions are only made once a decade in most cities, OnStar isn’t likely to benefit much financially from “respectable” companies.

What is more profitable to OnStar that your personal GPS data could be used for? Hmm, well how about the obvious – tracking you and your vehicle. It would be extremely profitable to be able to identify all vehicles within OnStar’s network that frequently speed, and provide law enforcement “traffic services” the ability to trace them back to their homes or businesses, as well as tell them where to set up speed traps. Or perhaps insurance companies who want to check and make sure you’re wearing your seat belt, or automatically give you rate increases if you speed, even if you’re never in an accident? How about identifying all individuals who shop at certain stores, and using that to determine whose back yard to put the next God-awful Wal-Mart store? How about employers who purchase these records from these third parties to see where their employees (or prospective employees) travel to (and how fast), sleaze bag lawyers who want to subpoena these records to use against you if you’re ever sued, government agencies who want to monitor you, marketing firms who want to spam you, and a long list of other not-so-squeaky-clean people who use (and abuse) existing online, credit card, financial, credit, and other analytics to destroy our privacy?

Add to this OnStar’s use policy of your personal information – the stuff that does identify who you are and ties it to your GPS records. While I have no problem using my personal information in events of an emergency, OnStar also uses my information to “allow us, and our affiliates, your Vehicle Maker, and Vehicle dealers, to offer you new or additional products or services; and for other purposes“. So not only is OnStar going to sell my vehicle’s GPS location data to a number of third parties, but they’re also going to use it and my personal information for marketing purposes. Imagine your personal data being sold to any number of their “affiliates”, and a few months later, you start to receive targeted, location-specific advertising based on where you’ve traveled. Go to Weight Watchers every week? Expect an increase in the amount of weight loss advertising phone calls. Go to the bar frequently? Anticipate a number of sleazy liquor ads to show up in your mailbox. Sneak out to Victoria Secret for something special for your lover? You might soon be inundated with adult advertising in your mailbox.

OnStar’s new T&C continues, explaining that part of the company may at some point be sold, and all of your information with it. It sounds as though OnStar is poising part of their analytics department to be purchased by a large data warehousing company, such as a Google, or perhaps even an Apple. Do you trust such companies with unfettered access to the entire GPS history of your vehicle?

This is too shady, especially for a company that you’re supposed to trust your family to. My vehicle’s location is my life, it’s where I go on a daily basis. It’s private. It’s mine. I shouldn’t have to have a company like OnStar steal my personal and private life just to purchase an emergency response service. Taking my private life and selling it to third party advertisers, law enforcement, and God knows who else is morally inept. Shame on you, OnStar. You disgust me.

To make matters even more insulting, it was difficult to ensure the data connection was shut down after canceling. I still have no guarantee OnStar did what they were supposed to. I had to request the data connection be shut down repeatedly, after the OnStar rep attempted to leave it on and ignore my requests.

When will our congress pass legislation that stops the American people’s privacy from being raped by large data warehousing interests? Companies like OnStar, Google, Apple, and the other large abusive data warehousing companies desperately need to be investigated.

These terms don’t go into effect until December 2011, and it takes up to 10 days to have the account fully cancel, and another 14 days for the data connection to be shut down… so if you want to get out of these new terms and conditions, you’ll need to do it soon.

 

Update:

Since writing this article, OnStar has reportedly told a few individuals that the contract requires them to obtain the customer’s consent in order to provide this information to anyone. Not true. In fact, the only mention of the word consent in their updated T&C is below:

We will comply with all laws regarding notifying you and obtaining your consent before we collect, use or share information about you or your Vehicle in any other way than has been described in this privacy statement. 

Two points to make: first, this clause only applies to collecting and sharing information in any way that is not described in the privacy statement. All of the nefarious uses for your personal data are, quite clearly, described in the privacy statement, and so no consent would be required. Secondly, this paragraph makes it clear that they will only comply with all laws requiring consent, not that they will actually obtain your consent. I’m not a lawyer, but as far as I know, there are no such laws on the books in most (if not all) states that protect the consumer from having their private information shared or sold to third parties, especially when such sharing is disclosed in a contract. In other words, the above paragraph seems to do nothing to require OnStar to obtain your consent to do any of this – and it’s my firm belief that OnStar’s only real interest is in OnStar. If you doubt this, the older version of the terms and conditions had two more consent clauses that are no longer part of the new terms and conditions.

Old Consent Clauses – Now Removed:

In General, we do not share your personal information with third-party marketers, unless we have asked for and obtained your explicit consent.

Of course, we will notify you, and where required, ask for your prior consent if our collection, use, or disclosure of your personal information materially changes.

Former NSA Director: Countries Spewing Cyberattacks Should Be Held Responsible

Attribution is one of the biggest problems on the internet when it comes to cyberwarfare. How do you hold a nation responsible for malicious attacks if you can’t determine whether the activity was state-sponsored?

Retired General Michael Hayden, former director of the National Security Agency, said Thursday that one solution being discussed in government is to simply forget about trying to determine if the source of an attack is state-sponsored and hold nations responsible for malicious activity coming from their cyberspace. His words were greeted with applause from the audience of computer security professionals.

“Since the price of entry is so low, and … it’s difficult to prove state sponsorship, one of the thoughts … is to just be uninterested in that distinction and to actually hold states responsible for that activity emanating from their cyberspace,” said Hayden during his keynote address at the Black Hat security conference. “Whether you did [the attack yourself] or not, the consequences for that action [coming from your country] are the same.”

Asked later for examples of what the consequences to a nation might be, he suggested some kind of cyberexile, or a response that would thwart the flow of the internet from the suspect country in a way that would slow their cybercommerce and ability to communicate.

Hayden, who is currently a principal at the Chertoff Group, a security consultant company founded by former Homeland Security Secretary Michael Chertoff, focused his talk on cyberwarfare and acknowledged that the term is thrown “pretty much at anything unpleasant.”

He said the U.S. military doesn’t consider intelligence attacks acts of war but the kind of “normal espionage thing that routinely happens between states.”

“Without going into great detail, we’re actually pretty good at this, and the Chinese aren’t the only ones doing this,” he said.

Outside of this, the U.S. and international community haven’t made much progress in determining what would actually constitute an act of war in this domain, but he said there have been some initial discussions about the idea of having global agreements to restrict certain kinds of activity. He cited denial-of-service attacks as an example of one type that could be restricted under a kind of Geneva Convention agreement on the rules of cyberwar.

“That is such an easily available weapon that we [might decide we] ought to stigmatize its use so that adult nations don’t do it and they don’t allow it to happen from their sovereign space — that’s one thought,” he said.

He also said ideas have been raised about forming the cyber equivalent of demilitarized zones for sensitive networks, such as the power grid and financial networks, that would be off-limits to attack from nation states. He acknowledged that this contradicts the view in kinetic warfare where attacks on power grids and other infrastructures are considered legitimate targets.

In a press conference following his talk, Hayden was asked about cyberespionage and whether the United States considers collateral damage that could occur as a result of such activity by the United States, such as an incident that reportedly occurred in the early ’80s in Russia.

In 1982, the United States reportedly sabotaged the Siberian pipeline through a logic bomb planted in software, causing an explosion. The United States learned from a Russian scientist that the Soviets were stealing data on U.S. technology, so the CIA hatched a plot to insert the logic bomb into software headed to Russia to operate pumps, valves and turbines on the Siberian natural gas pipeline.

At a pre-programmed time, the malware caused excessive gas pressure to build on the valves, resulting in an explosion that was captured by orbiting satellites. Although there were no human casualties, there might have been under different circumstances if the explosion had occurred in a populated area.

Hayden acknowledged during his keynote that there are problems with anticipating consequences of cyberwarfare attacks.

“You can never do anything in this domain without something going pop in [the physical world],” he said. “At the end of the day, it really isn’t a videogame and something’s going to happen in somebody’s physical space.”

He added that in considering the possibilities for collateral damage from a cyberattack, generally the military considers whether the good that is perceived to come out of an action greatly outweighs the possible unintended consequences. But with cyberattacks, the consequences can be much less predictable.

“When you do this, are lights still going to be on on the eastern seaboard?” he said. “When you do something in the cyberdomain, you’re asking a policy maker to accept a risk that’s probably a little less measurable than a parallel operation outside of cyberspace…. The thinking on cyberstuff is so immature that, if we’re not careful, they’ll become the special weapon of the 21st century like nuclear weapons were [in the last century] that you really had to have the president in the room before you could use them.”

Hayden was asked about WikiLeaks and the possible repercussions that will come from the secret-spilling site publishing 77,000 intelligence documents on the Afghanistan war.

“This is an interesting aspect of a cyberwar [that] would not exist in physical space,” he said. “So, how now do we deal with this? Can we sustain espionage? Will it be possible for America to spy if this cultural trend is not modified or muted …? We have less control of our secrets than some other states.”

Hayden said the intelligence community will likely push back against open intelligence-sharing initiatives that evidently made this and other documents published by WikiLeaks vulnerable to leaking. After the 9/11 terrorist attacks, the government made the sharing of intelligence easier in order to combat criticism that people responsible for defending the country didn’t have the information they needed. As a result, intelligence reports and documents were made available to a much wider group of people in the government and military.

Hayden said “it’s going to take very strong leadership” to ensure that there isn’t a knee-jerk reaction that simply closes access to intelligence going forward.”

Posterous theme by Cory Watilo