> Plaintiff did not want OnStar services and so he did not push the blue button "to get started." The email provides no mention of OnStar's Smart Driver Program.
…
> In or around January 2024, Plaintiff received his requested LexisNexis consumer disclosure. The report, as of December 18, 2023, had 258 recorded driving events under the "Telematics" subsection. Each driving event included trip details that show the start date, end date, start time, end time, acceleration events, hard brake events, high speed events, distance, and VIN.
…
> Plaintiff had never opted into any insurance program that would have allowed his information to be shared.
And if you own a car made in the last ~5 years, here's how to request your "Consumer Disclosure Report" from LexisNexis: https://consumer.risk.lexisnexis.com/ . According to NYT, LexisNexis receives at least some data from GM, Ford, Kia, Subaru, and Mitsubishi.
I wrote about this after my gag order expired. GM was shipping all telematics data to a big data cluster processing 100gbps of data (with double the data once Cisco released 400gbps support). Originally it was to help price their used cars. A noble effort I supported. I didn’t know about the sales to insurance brokers, but should have assumed that was coming.
Anyway cat is out of the bag, they won’t undo this feature they will pay a fine, offer an opt-out to 5% of users who take up the offer and in 10 years time everyone will assume their driving habits are being monitored by their insurance company.
How do I know this? It’s been 10 years since the hoopla about realtime location data being sold. Last night I saw my home IP address reports my location with .25 mile accuracy. Guess that $5 check from Verizon was the fine they had to pay!
Some time last year I wrote a comment here on HN about my Bolt EUV and OnStar. I can’t remember exactly what I wrote and don’t want to dig for it, but I said something like being happy with the vehicle and had disabled all of the OnStar features/tracking soon after I purchased it. Somebody replied that they were intimately familiar with the OnStar/GM project, having worked on it, and that it was still tracking me despite not being subscribed to any of their services and having turned off all the features in the car that I could. They couldn’t elaborate further, I assume because of an NDA or something. I bet dollars to donuts that this is what they were talking about now.
Edit: thanks to Stavros for finding the comment below. It looks like you were in fact the person I was talking to 11 months ago. Small world!
> Anyway cat is out of the bag, they won’t undo this feature they will pay a fine, offer an opt-out to 5% of users who take up the offer and in 10 years time everyone will assume their driving habits are being monitored by their insurance company.
So can't the plaintiffs just request an order compelling GM and others to remove the feature forever as part of the remedies?
> in 10 years time everyone will assume their driving habits are being monitored by their insurance company.
And even if there continues to be an opt-out, those plans will become so prohibitively expensive that you're essentially forced to allow your insurer to spy on you. Privacy is always priced out in the free market. Regulation is the only way. It's not a net benefit to society, just outlaw egregious data collection.
How does the data leave the device? I tried to route traffic from the infotainment system into a WiFi network I was wiresharking, and I saw a lot of GM traffic but I couldn’t install a cert to MitM because I couldn’t figure out how to access the Android settings for the dash OS.
Is the traffic through there or is it totally within the CANBUS and never hits the WiFi outbound? In that case do you need to hijack the 4G?
Not that I support any of this, but why would networking speed be the bottleneck in that system? Telematics seems very much like an OLAP situation where data ingest and querying can be asynchronous.
> And if you own a car made in the last ~5 years, here's how to request your "Consumer Disclosure Report" from LexisNexis: https://consumer.risk.lexisnexis.com/ . According to NYT, LexisNexis receives at least some data from GM, Ford, Kia, Subaru, and Mitsubishi.
Appreciate this link! I don't have one of the listed brands (own a Mazda) but I am curious to see what info data brokers like this have on me in general.
Also, maybe this is a naive thought but I think data brokers like this are so used to operating in the shadows / being forgotten about so I think the more folks who request is at least a small signal to them that folks are paying attention.
Wow, I just submitted the consumer disclosure report this morning after finding out about it from somewhere else. I am VERY interested to see if anything is reported from my car since I don't have any of the addons/monthly fees.
I assume LexisNexis does not provide this report out of the goodness of their heart, it must be required by FCRA?
If I really don't like LexisNexis collecting this data, or if I really just want to stay on top of my credit status, is there any reason not to script something to request a physically mailed report every day? Not sure how much they pay per mailing, but 365 of them can't be cheap.
You can't take this as authoritative but my business has a data relationship with Toyota and they have a ton of juicy telemetry data.
Their attorneys are mad protective of the PII they have. Our relationship serves the public interest. We use the data to find people with open recalls where Toyota doesn't know who the current owner is.
I say this to say that we have other OEM relationships that are far more liberal with their encumbered data. This far Toyota seems to be playing it very straight.
• Violations of the Fair Credit Reporting Act (FCRA) due to the alleged improper sharing and reporting of plaintiffs' driving data without consent, impacting their ability to secure car insurance and leading to increased rates.
• Violations of the Florida Deceptive and Unfair Trade Practices Act, accusing the defendants of engaging in deceptive practices by sharing personal driving data without the knowledge or consent of the car owners.
• Invasions of privacy under Florida common law, arguing that the defendants' actions of tracking, collecting, and sharing personal driving data without consent intrude upon the plaintiffs' private lives and are offensive.
Unless senior managers and board members get criminal convictions and jail time it will continue and the "disturbing" will cease only by being normalized.
Hoping for a magic responsible all powerful legal daddy to come enforce a just set of laws is pure fantasy.
The people doing regulation and oversight have been bought and paid for by these "managers and board members." Citizens united codified their right to do this into law.
If you want professional ethics, you have to create a vehicle that can enforce professional ethics or wield political power -- a trade union or guild.
No congress-member is going to wake up and be like "gee, I sure wish I would get a few less bribes (campaign contributions) today," or "I sure would like my stock portfolio to decrease in value by doing real oversight on all these companies that are making me rich."
If the legal system cannot provide consequences to these people, then it's time to start thinking about where those consequences are going to come from. Hoping for consequences is not a very good strategy. A union is one such vehicle.
If the health insurance industry is several times larger than car insurance then there must be a very high financial motive for Ancestry/23&me to sell your curious aunt's DNA data which is also linked to relations.
At least the health insurance industry is legally prohibited from charging different rates to people based on DNA. So, at most, they can use it to try to get you specialized care.
No shit. Plus 23 and me is in deep financial trouble last I heard. Someone out there is drooling over that data set.
I know otherwise smart people (in the analytical sense) who paid money to hand over their most sensitive biometrics to these companies. And they’re still like “the data brokers can have it, what are they gonna do?”
Without extremely aggressive changes to how we handle situations like this, it seems unlikely
A fine is a price, and there are basically no laws that put financial, let alone criminal liability for people behind the corporate veil or seizure/dissolution of a corporation that consistently breaks the law on the table
Whenever the GDPR is mentioned here, people more or less treat it as a sign of fascism. With that attitude from us, how can our rights on privacy be respected?
I'm extremely glad that the GDPR and NOYB.eu mean that car manufacturers can't pull that shit here. If I opt out, I'm opted out, or there will be big fines for them.
How? Who will represent that viewpoint in the halls of congress? The EFF is politically ineffective and always has been for reasons I don't understand, and no one else seems to care.
A huge majority of my spam calls come from someone who bought it from ZoomInfo, Apollo, or other. I made a mistake somewhere and they got my personal number.
Now, every time I get a spam call, I insist they tell me where they're getting their info from. They'll try to so "our data team", but if you keep insisting they'll tell you.
Privacy legislation is antipartisan[0]: the US government relies on buying dox from adtech creeps to do all the spying they otherwise couldn't legally do, so nobody in power wants that loophole closed.
[0] Bipartisanly supported by the electorate and bipartisanly opposed by the elected representatives of said electorate
Nice thing is that tracking via cellular never stops working but if you are in an emergency they will not call emergency services for you if you don't pay the subscription.
It's good to read this thread and know that finally people are realizing the full extent of the surveillance. I have dealt with a Govt agency targeting me for several years and having technical knowledge, I've noticed all of this invasion of privacy and control used against me, lots of it wouldn't even be possible without technology or the internet. But it's so much more than if you gave up your phone... It's a literal surveillance state and even if you go to the suburbs away from the concrete prisons our cities have been turned into, you still have front door cameras everywhere, accessible by law enforcement.
In fact, to abuse all of this stuff and weaponize it against someone, you do not need to have a court order or a warrant. As long as you find the right people, have the right narrative, companies will do all kinds of stuff to you, even if you are a customer.
And my original reply before going off on a tangent was that even if you remove your sim card, even if you somehow disable emergency services, your phone is still pinging and leaking all these signals that are picked up by all kinds of scanners.
Very few people even accept this is happening at scale, let alone are able to reason about the implications of it all.
The public needs a better job of being informed about the consequences of all of it.
I agree with the worry about surveillance. But isn't this really a continuation of how car makers treat their customers and the public generally. Cars companies comprimise privacy in the same way that they willingly comprimise safety, public health and the environment. It is the result of a broken culture and naive to expect them to change.
GM is trying really hard to not get my business in the future. Between the no Car Play and Android Auto support in their new EVs. Now this. I'm just tired man...
GM seems to be floundering in mediocrity right now. They basically pump out generic, uninspired plastic boxes right now then try to nickel and dime their customers. In my opinion, foreign manufactures are absolutely eating their lunch right now.
Despite being children of an automotive family, with a deep loyalty for the Big 3, we've started to avoid their cars. While they can run forever, they just start failing apart.
The rebadged Commodores were a bright spot in the lineup for a while if you like that kind of thing
What are “foreign manufacturers?” Hondas and Toyotas have been built in the states for a long time. Chrysler has been a transnational merger for a while and Ford and GM have long histories of importing their overseas products.
I will never buy a GM until they stop turning their reverse lights on when they're not reversing. This one small feature has wreaked immeasurable havoc on parking lots across the world.
They've done that just fine for me by releasing... lame cars across the board. Most of their brands are shells of their former selves (especialllly Cadillac) and I can't remember the last time I saw a Chevy that I actually liked.
I mean, I get that. Part of it is irrational because my father worked for and retired from GM. So it's a bit of a family thing. But the loyalty has a limit and I believe Mary Barra has reached the limit for me.
We’ve already taken quite a few manufacturers off the list for this reason, including GM. Vote with dollars people. Take my data without permission, lose my business.
You've Japanese, German and to some extend even Korean cars that are much better. If pick up truck is what you're looking for, then Ford is much better
The brands you are thinking of also likely have telematics with similar vague language about data collection. I've seen it in Nissans, Hondas, and Toyotas, personally.
If you're in the market for a smaller, cheap(ish) EV with decent range, the Chevy Bolt (used) is basically the only option, and honestly can be had for less than any equivalent ICE vehicle of similar quality/mileage
Tesla claims not to sell or transfer the data they collect, and offer opt-outs from most of it. You can, if you are willing to void your warranty, remove the GSM/LTE module from a Tesla fairly straightforwardly.
Telematics should be disabled, preferably by way of hard cutting the modem chip's V-in. Call me a tinfoil hat lover, but when 23andme gets bought by an insurance company, the similarities with potential insurability issues are numerous when data is available to the other without a big, shining red opt-in.
I have obtained an email from GM stating that if I am an OnStar Smart Driver subscriber, I cannot opt out of my data being shared. I believe this violates at least California privacy regulations, probably some other states, which mandate opt outs. I seriously want to rip the modem out of my car.
Collecting and storing personal data needs to be exorbitantly expensive.
LexisNexis knew exactly what they were doing and probably already factored in litigation costs to the product.
Experian should have been fined out of existence when they lost all that data. The light of their funeral pyre could have warned away companies headed down the same path.
It is so enraging. Not only did they have zero consequences compared to what they should have received, they're still somehow the lone report I have to thaw for every single loan and line of credit.
Readit News
> Plaintiff did not want OnStar services and so he did not push the blue button "to get started." The email provides no mention of OnStar's Smart Driver Program.
…
> In or around January 2024, Plaintiff received his requested LexisNexis consumer disclosure. The report, as of December 18, 2023, had 258 recorded driving events under the "Telematics" subsection. Each driving event included trip details that show the start date, end date, start time, end time, acceleration events, hard brake events, high speed events, distance, and VIN.
…
> Plaintiff had never opted into any insurance program that would have allowed his information to be shared.
Related: "Automakers are sharing consumers' driving behavior with insurance companies" - https://news.ycombinator.com/item?id=39666976
And if you own a car made in the last ~5 years, here's how to request your "Consumer Disclosure Report" from LexisNexis: https://consumer.risk.lexisnexis.com/ . According to NYT, LexisNexis receives at least some data from GM, Ford, Kia, Subaru, and Mitsubishi.
Or from Verisk, which receives data from at least GM, Hyundai, and Honda: https://fcra.verisk.com/#/
Automakers are sharing consumers' driving behavior with insurance companies - https://news.ycombinator.com/item?id=39666976 - March 2024 (321 comments)
That one only spent 3 hours on the front page so I guess we'll let this one have a go too...
I wrote about this after my gag order expired. GM was shipping all telematics data to a big data cluster processing 100gbps of data (with double the data once Cisco released 400gbps support). Originally it was to help price their used cars. A noble effort I supported. I didn’t know about the sales to insurance brokers, but should have assumed that was coming.
Anyway cat is out of the bag, they won’t undo this feature they will pay a fine, offer an opt-out to 5% of users who take up the offer and in 10 years time everyone will assume their driving habits are being monitored by their insurance company.
How do I know this? It’s been 10 years since the hoopla about realtime location data being sold. Last night I saw my home IP address reports my location with .25 mile accuracy. Guess that $5 check from Verizon was the fine they had to pay!
Some time last year I wrote a comment here on HN about my Bolt EUV and OnStar. I can’t remember exactly what I wrote and don’t want to dig for it, but I said something like being happy with the vehicle and had disabled all of the OnStar features/tracking soon after I purchased it. Somebody replied that they were intimately familiar with the OnStar/GM project, having worked on it, and that it was still tracking me despite not being subscribed to any of their services and having turned off all the features in the car that I could. They couldn’t elaborate further, I assume because of an NDA or something. I bet dollars to donuts that this is what they were talking about now.
Edit: thanks to Stavros for finding the comment below. It looks like you were in fact the person I was talking to 11 months ago. Small world!
So can't the plaintiffs just request an order compelling GM and others to remove the feature forever as part of the remedies?
And even if there continues to be an opt-out, those plans will become so prohibitively expensive that you're essentially forced to allow your insurer to spy on you. Privacy is always priced out in the free market. Regulation is the only way. It's not a net benefit to society, just outlaw egregious data collection.
Is the traffic through there or is it totally within the CANBUS and never hits the WiFi outbound? In that case do you need to hijack the 4G?
Deleted Comment
Appreciate this link! I don't have one of the listed brands (own a Mazda) but I am curious to see what info data brokers like this have on me in general.
Also, maybe this is a naive thought but I think data brokers like this are so used to operating in the shadows / being forgotten about so I think the more folks who request is at least a small signal to them that folks are paying attention.
If I really don't like LexisNexis collecting this data, or if I really just want to stay on top of my credit status, is there any reason not to script something to request a physically mailed report every day? Not sure how much they pay per mailing, but 365 of them can't be cheap.
Their attorneys are mad protective of the PII they have. Our relationship serves the public interest. We use the data to find people with open recalls where Toyota doesn't know who the current owner is.
I say this to say that we have other OEM relationships that are far more liberal with their encumbered data. This far Toyota seems to be playing it very straight.
The site is likely overloaded by interest from HN readers. Trying again in 48 hours will likely give more performant responses.
• Violations of the Fair Credit Reporting Act (FCRA) due to the alleged improper sharing and reporting of plaintiffs' driving data without consent, impacting their ability to secure car insurance and leading to increased rates.
• Violations of the Florida Deceptive and Unfair Trade Practices Act, accusing the defendants of engaging in deceptive practices by sharing personal driving data without the knowledge or consent of the car owners.
• Invasions of privacy under Florida common law, arguing that the defendants' actions of tracking, collecting, and sharing personal driving data without consent intrude upon the plaintiffs' private lives and are offensive.
The people doing regulation and oversight have been bought and paid for by these "managers and board members." Citizens united codified their right to do this into law.
If you want professional ethics, you have to create a vehicle that can enforce professional ethics or wield political power -- a trade union or guild.
No congress-member is going to wake up and be like "gee, I sure wish I would get a few less bribes (campaign contributions) today," or "I sure would like my stock portfolio to decrease in value by doing real oversight on all these companies that are making me rich."
If the legal system cannot provide consequences to these people, then it's time to start thinking about where those consequences are going to come from. Hoping for consequences is not a very good strategy. A union is one such vehicle.
I know otherwise smart people (in the analytical sense) who paid money to hand over their most sensitive biometrics to these companies. And they’re still like “the data brokers can have it, what are they gonna do?”
A fine is a price, and there are basically no laws that put financial, let alone criminal liability for people behind the corporate veil or seizure/dissolution of a corporation that consistently breaks the law on the table
I'm extremely glad that the GDPR and NOYB.eu mean that car manufacturers can't pull that shit here. If I opt out, I'm opted out, or there will be big fines for them.
https://en.wikipedia.org/wiki/Panopticon
Deleted Comment
Now, every time I get a spam call, I insist they tell me where they're getting their info from. They'll try to so "our data team", but if you keep insisting they'll tell you.
These data exchange companies are despicable.
[0] Bipartisanly supported by the electorate and bipartisanly opposed by the elected representatives of said electorate
Dead Comment
Clearly your data are more important than you
In fact, to abuse all of this stuff and weaponize it against someone, you do not need to have a court order or a warrant. As long as you find the right people, have the right narrative, companies will do all kinds of stuff to you, even if you are a customer.
And my original reply before going off on a tangent was that even if you remove your sim card, even if you somehow disable emergency services, your phone is still pinging and leaking all these signals that are picked up by all kinds of scanners.
Very few people even accept this is happening at scale, let alone are able to reason about the implications of it all.
The public needs a better job of being informed about the consequences of all of it.
Don't carry a cell phone?
Seems to work just fine =D
Despite being children of an automotive family, with a deep loyalty for the Big 3, we've started to avoid their cars. While they can run forever, they just start failing apart.
and consumer reports seems to love the cousin Buick Envista.
What are “foreign manufacturers?” Hondas and Toyotas have been built in the states for a long time. Chrysler has been a transnational merger for a while and Ford and GM have long histories of importing their overseas products.
https://www.reddit.com/r/cars/comments/rshlke/why_do_gm_vehi...
If we vote with our dollars then the government just bails them out when they inevitably go bankrupt, again.
You've Japanese, German and to some extend even Korean cars that are much better. If pick up truck is what you're looking for, then Ford is much better
Wait seriously? That's a wild choice.
https://oag.ca.gov/privacy/ccpa#sectionhhttps://oag.ca.gov/contact/consumer-complaint-against-busine...
LexisNexis knew exactly what they were doing and probably already factored in litigation costs to the product.
Experian should have been fined out of existence when they lost all that data. The light of their funeral pyre could have warned away companies headed down the same path.
I'd like to see a HIPAA for regular data.