I’ll tell you a secret, but we have to get out of the car….(Why the auto-makers know more about you than you do)

There is a new report out this week that dives into the auto-industry’s protection, use of (and sometimes) distribution of the data that is being collected by your car’s computer.  “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” was (written and) released by the staff of Senator Edward J. Markey from Massachusetts.   It’s only 12 pages if you have the time.  (if you have a lot more time, the GAO did a much more extensive study in December of 2013 that has drawings and everything)   

The Senator sent letters to 16 major automobile manufacturers, which includes all the ones you can name and then some.  Most responded to a list of very (IMHO) knowledgeable questions about the types of data that on-board computers for new cars collect; what is done with that data; what steps they are taking to preserve the privacy of the data and the security of the on-board computers, themselves.  From those responses, the Senator’s staff provided the following conclusions, as summarize by Consumer Courage:

    1. Almost every car on the road uses wireless technology that is vulnerable to hacking by someone other than the manufacturer; 
    2. Most of the car makers are either unaware of or unable to tell you whether your car’s computer has ever been hacked;
    3. There aren’t any standards that govern how the industry tries to protect your information or prevent your car’s computer from getting hacked. In addition, many of the manufacturers are either hiding how they protect you or don’t even understand the dangers of having their fleet of cars use wireless technology;
    4. Only two of the manufacturers are able to tell if your car is getting hacked while it’s happening and take action to protect you.  Incredibly, most of them responded to this concern by saying that they rely on systems that are used to protect you from something else, entirely; 
    5. Manufacturers collect large amounts of data on driving history and vehicle performance that don’t have anything to do with protecting you;
    6. Most of them store the data with other companies.  Of the ones who keep the data in-house, they weren’t able to describe how they keep it from getting stolen from them; 
    7. Car makers say it’s necessary to gather so much data so they can “improve the customer experience,” but, there aren’t uniform standards that govern where the data is kept, how they use it or how long they keep it;
    8. By and large, they don’t tell you what they’re collecting or give you a choice to say “hey, cut it out.” You can stop some manufacturers from getting this data. But, it means that you have to disable important functions (like Onstar or your GPS)

We’ve all known for  quite a while that our cars have computers that are being used to make them run more efficiently; help us get to where we are going (through GPS systems); keep us safe (weather updates, anti-lock brake systems); and help us when we’re in trouble (OnStar).  If you’re like me, you’ve never given a whole lot of thought to what’s happening to all of the data that your car is generating.  Almost every car collects information that helps your car run better: fuel economy; status of power windows/doors; systems failures; battery status; coolant temperature and engine status are all monitored and sent to the manufacturer at regular intervals.  Your on-board computer will also let the manufacturer know if you have taken your car in for the latest recall and whether you need certain regularly scheduled maintenance.   If your car gets stolen, chances are the manufacturer will be able to locate it.  This is the good news. 

Now the bad news 

Your car will also tell the manufacturer a huge amount of information that ranges from “do they really need to know THAT?” to “downright creepy.”  Your manufacturer gets data that tells them:

    • distances traveled;
    • places frequented;
    • time spent parking vs. driving;
    • where you park;
    • whether you almost get into an accident;
    • which places you go to most often;
    • what time you leave in the morning/get home at night;
    • whether you’re out of town and how far away you are;

If was only that the auto manufacturers were just getting this info, that might be enough to unnerve some folks.  But, how they are getting the information and who else might have access to it only adds to the angst.  They get this information in one of two ways – when you take it in for service and when your computer “reports back” through wireless connections. 

If you take it to the dealership to get worked on, they will (as part of whatever else they are doing) hook it up to the computer, using a cable connection.  That hookup will serve to update the manufacturer’s database as to what’s been going on with your car (i.e. upload the information that we talked about above).  Whether you want them to have the info or not, this is the safest way your car talks to its creator. 

The second way your car tells on you is through a wireless (actually “mobile”) connection and can occur wherever you are.  The big worry with any type of wireless connection is, of course, whether hackers can get into your computer by using wireless technology of their own.  If you thought that auto-makers would have built a super-duper-protected-worry-free network for the transmission of your private personal data, you would have thought wrong.  In fact, the way the report reads, it almost seems like the auto-industry isn’t familiar with the fact that data can be stolen or needs to be protected at all.

This is where it gets a little technical

There are two wireless sets of communications going on here. (We’re calling it wireless because it doesn’t have wires – not because it’s like the wireless connection you have at home.)  Unlike your home network, you don’t have to sign your car up to the network every time you log on. 

    1. Your car has its own network – called a CAN for Controlled Area Network. Each of the car’s systems talk to each other on a mini-wireless (our words) network, because it would take tons of wires to physically hook each of the vehicle’s components to each other; and
    2. Your car talks to the manufacturer over a mobile-type network – usually routed through the GPS that comes w/the car. 

[If your car didn’t come with a GPS, it still talks to the manufacturer whenever you get it worked on and still has a CAN, which makes it easier for the car to talk to itself. But, you don’t have to worry about it talking to the manufacturer using a mobile connection]

So I shop at the Piggly Wiggly…so what? 

Isn’t this all just harmless trivia anyway? I mean, what can somebody do with information about where, when and how I drive after all?  Plenty, it turns out.  If someone can tell what time you leave the house every day or where you usually park your car, it would make it awfully easy to pick those times to try to burgle your house (or auto).  Or, if your kids are in daycare, somebody could use this info to get a pretty good idea where that facility is.  Since the report shows that many of the industry players store this info with separate companies, who can tell if they are selling it to bad guys?; or, if their own security is effective or not?

The danger doesn’t end with just worrying about the wrong person having your personal information.  That’s because there’s a lot more than a hacker can do to your car than figure out where you like to buy gas.  Since most of the major systems of your car respond to commands from a computer, if someone hacks into said computer, they can start giving it commands.  What would happen if you were on the highway and someone (who was not sitting behind the wheel) could tell your car to hit the breaks?; or, if a hacker told your car to sound the alarm at 2:00 in the morning while it was sitting in your attached your garage?; or, to accelerate into oncoming traffic, while you were at a red light?  Bizarre? Yes.  Impossible? Not at all.  (The Senator’s report cited a study from 2011, where researchers were able to do just that)

(Dealerships and lenders already use technology to disable cars remotely, because the owner missed a payment. The problems with this are obvious.  After all, who verifies whether the payment was actually missed?  And, what will happen the first time they disable the car of a pregnant woman who is trying to get to the hospital?; or because their kid has a raging fever?    Or someone who is just trying to drive away, because she is being chased by a teenager who really wants her purse?  Ye-gods)

Is anybody at the wheel?

Unfortunately, the picture that the Senator’s report paints of the industry is not a pretty one.  They seem to be using the same data-breach-aversion plan that most of the major retailers appear to have embraced: “Let’s not worry too much about it, until some blogger writes an expose about how many accounts have been stolen.”

The laws that are on the books that govern privacy have very weak requirements for the hack-ee who lost your information to report any data-breach in the first place.  (why else would Target be able to wait nearly a year before fessing up that they had been hacked?)  This is why we don’t hear about data-breaches until way after the fact and why no company has gotten into trouble for not reporting a breach in the first place.  (not a confidence builder, to be sure) 

New bill

As it happens, while we were putting this post together, there was an announcement that a new bill was being introduced by Senator Markey (the co-sponsor is Senator Richard Blumenthal)

Editor’s note to those who “want the government out of my business”: when this law is finally passed (may it happen soon, in our days) we expect you to call the auto-manufacturers and tell them NOT to follow it, when it comes to your car and your data – because you think that the government has no place passing a regulation of any kind, even if it makes your life safer.  

As Senator Markey puts it: “We need the electronic equivalent of seat belts and airbags to keep drivers and their information safe in the 21st century.” We at the world office of Consumer Courage rarely get excited at the Consumer-protection-bill-introduction stage.  Our experience with legislation that is proposed to help consumers is that we feel much better at the press conference on the day the first version of the bill is introduced than we do on the day the final version actually passes.  As Mark Twain famously said “there are two things in the world that you don’t want to witness being made – sausage and legislation.” At this point all we can do is hope that this sausage doesn’t go bad, before it gets to market.  But, at least we’re talking about it.  (I would tell someone to tell the car makers that we know what’s going on; but, they’ve been listening in on our conversations for a while, anyway)

Posted by Mark Wiseman: who is awfully glad that nobody was spying on his driving (or parking) habits when he was a teenager.

Voting to give up your privacy – Interactive Ad campaigns for the Super Bowl

Is a free coke really worth the price of giving away your privacy?

The big advertisers (willing to pay close to $3.8 million for a 30 second spot during the Super Bowl)   are all raising the stakes this year by offering online contests during the game to get consumers to watch on TWO separate screens – (the second screen being your IPAD or other tablet device). They expect ¾ of the viewers to be viewing on “two screens”.   This year Coca-Cola wants consumers to engage in their advertising in an interactive way.  As a hook, they are offering a prize to the first 50,000 consumers who log in and create an account,   so they can pick their favorite team to win the “Coke Chase”; which is a fictional race by a group of cowboys; a group of show-girls on a tour bus and a group of bikers – who have evidently stolen the lost wardrobes from the Mad-Max film series – called ‘Badlanders’. They are racing through the desert in search of a certain carbonated cola. (We’re not joking)

So, what’s the harm in signing up for an on-line account anyway?

We’ve all done it.  Just before you buy that new gadget or sign up for a new promotion, you put most of your contact information into an application.  Then (before you can proceed) you are flashed to a screen with tons of tiny print and a box at the bottom that asks you to ‘Agree to the terms.’  Without thinking, you click ‘Agree’ and proceed.  What people don’t realize is that when they create an on-line account, they are giving the host-company permission to sell that information to anybody who asks.

Unfortunately, for the unsuspecting consumer, there is no law that prohibits the host company from sharing or selling your information to ANYbody for ANY purpose. In fact, to add insult to injury, the FTC’s telemarketing sales rule (which is the law that create the National Do-Not-Call Registry) considers the fact that you logged on to the advertiser’s website an “inquiry,” which means that for the next 90 days, you have waived your rights under the Federal DO NOT CALL law. Once you have ‘created your new ID,’ you have given the host company (Coca-cola, if you sign up for the ‘Coke Chase’) – and all of the companies that they sell your information to – permission to call, text, or send spam messages to you.

So what’s the prize that will entice you to give away your private information and waive your legal rights? [Drum roll please………] A free coke!!! Seriously? Is giving away your privacy really worth less than a $1.59 soft drink?

What other gimmicks are being used this winter to lure you in and cause you to make a formal ‘inquiry’ to these businesses that will allow them to sell your contact information?

 Budweiser wants you to name the new Clydesdale pony! (LOOK UP THE PRIZE FOR SIGNING UP)

 Doritos wants you to vote on one of five commercials in its “Crash the Super Bowl” contest – which allowed viewers to create their own commercial. o At least Doritos is giving away $1 million to the winner of its   But, of course only one person will win the Doritos contest.  (Everyone else will merely lose their privacy)

 Papa Johns is skipping the TV commercials this year, with a plan to concentrate solely on the second screen viewers by giving away a free pizza every 45 seconds, and a “chance” to win a $45 gift card. Hoping to sell a million pizzas on Super Bowl Sunday, if the game goes into overtime, everyone who has “registered” with them online will be eligible for a free pizza.

But, these contests beg the question: Is a free pizza or coke worth giving away your privacy?

Before you are lured into these gimmicks, watch this FTC video on Privacy Sharing, and read these tips from the Privacy Rights Clearinghouse   

Posted by: Nadine Ballard