OnStar Begins Spying On Customers’ GPS Location For Profit - TheNewTopical.com - current events, politics, culture, ethics, economics discussion forum

FredFredson · #1 (**permalink**) 21-09-11, 02:07 PM

← iOS 0830 Forensic Tools

OnStar Begins Spying On Customers’ GPS Location For Profit

Posted on September 20, 2011 by Jonathan Zdziarski
I canceled the OnStar subscription on my new GMC vehicle today after receiving an email from the company about their new terms and conditions. While most people, I imagine, would hit the delete button when receiving something as exciting as new terms and conditions, being the nerd sort, I decided to have a personal drooling session and read it instead. I’m glad I did. OnStar’s latest T&C has some very unsettling updates to it, which include the ability to sell your personal GPS location information, speed, safety belt usage, and other information to third parties, including law enforcement. To add insult to a slap in the face, the company insists they will continue collecting and selling this personal information even after you cancel your service, unless you specifically shut down the data connection to the vehicle after canceling.

The complete update can be found here. Not surprisingly, I even had to scrub the link as it included my vehicle’s VIN number, to tell OnStar just what customers were actually reading the new terms and conditions.
The first section explains the information that’s collected from the vehicle. No big deal. Sounds rather innocuous and boring. I imagine most people probably drool out and close the window by the time they get this far. Your contact information, billing information, etc. is collected. Nobody cares about tire pressure and crash information being collected – after all, that’s what OnStar is there for. Toward the end, you’ll read about how GPS data is collected, including vehicle speed and seat belt status. Again, in an emergency, this is very useful and most customers want an emergency services business to collect this information - when necessary. And the old 2010 terms and conditions only allowed OnStar to collect this information for legitimate purposes, such as recovering a stolen vehicle, or when needed to provide other OnStar services to customers on demand. As you scroll down the list of information collected, you see that once you get past important emergency services (what we pay OnStar for), OnStar now has given themselves the right to also use this information to stuff their pockets. OnStar has granted themselves the right to collect this information “for any purpose, at any time, provided that following collection of such location and speed information identifiable to your Vehicle, it is shared only on an anonymized basis.” – This provides carte blanche authority for OnStar to now track and collect information about your current GPS position and speed any time and anywhere, instead of only in the rare, limited circumstances the old contract outlined.
Anonymized GPS data? There’s no such thing! We’ve all seen this before – anonymized searches, for example, that were not-so-quite anonymized. But in this case, it’s impossible to anonymize GPS data! If your vehicle is consistently parked at your home, driving down your driveway, or taking a left or right turn onto your street, its pretty obvious that this is where you live! It’s like trying to say that someone’s Google Map lookup from their home is “anonymized” because it doesn’t have their name on it. It still shows where they live! What’s unique even more-so to OnStar is that the data they claim they sell as part of their business model is useless unless it’s specific; that is, not diluted to the nearest 10 mile radius, etc. This combination of analytics, and their prospective customers (law enforcement, marketers, etc) requires the data be disturbingly precise. Anyone armed with Google can easily do a phone book or public records search to find the name and address that resides at any given GPS coordinate.
So the GPS location of your vehicle and your vehicle’s speed are likely going to be collected by OnStar and sold to third parties. What kind of companies are interested in this data? OnStar would have you believe that respectable agencies, like departments of transportation and various law enforcement agencies (for purposes of “public safety or traffic services” – A.K.A ticket writing). I can imagine this data COULD be used for good, to create traffic based analytics to improve future road construction or even emergency response. But given that those types of decisions are only made once a decade in most cities, OnStar isn’t likely to benefit much financially from “respectable” companies.
What is more profitable to OnStar that your personal GPS data could be used for? Hmm, well how about the obvious – tracking you and your vehicle. It would be extremely profitable to be able to identify all vehicles within OnStar’s network that frequently speed, and provide law enforcement “traffic services” the ability to trace them back to their homes or businesses, as well as tell them where to set up speed traps. Or perhaps insurance companies who want to check and make sure you’re wearing your seat belt, or automatically give you rate increases if you speed, even if you’re never in an accident? How about identifying all individuals who shop at certain stores, and using that to determine whose back yard to put the next God-awful Wal-Mart store? How about employers who purchase these records from these third parties to see where their employees (or prospective employees) travel to (and how fast), sleaze bag lawyers who want to subpoena these records to use against you if you’re ever sued, government agencies who want to monitor you, marketing firms who want to spam you, and a long list of other not-so-squeaky-clean people who use (and abuse) existing online, credit card, financial, credit, and other analytics to destroy our privacy?
Add to this OnStar’s use policy of your personal information – the stuff that does identify who you are and ties it to your GPS records. While I have no problem using my personal information in events of an emergency, OnStar also uses my information to “allow us, and our affiliates, your Vehicle Maker, and Vehicle dealers, to offer you new or additional products or services; and for other purposes“. So not only is OnStar going to sell my vehicle’s GPS location data to a number of third parties, but they’re also going to use it and my personal information for marketing purposes. Imagine your personal data being sold to any number of their “affiliates”, and a few months later, you start to receive targeted, location-specific advertising based on where you’ve traveled. Go to Weight Watchers every week? Expect an increase in the amount of weight loss advertising phone calls. Go to the bar frequently? Anticipate a number of sleazy liquor ads to show up in your mailbox. Sneak out to Victoria Secret for something special for your lover? You might soon be inundated with adult advertising in your mailbox.
OnStar’s new T&C continues, explaining that part of the company may at some point be sold, and all of your information with it. It sounds as though OnStar is poising part of their analytics department to be purchased by a large data warehousing company, such as a Google, or perhaps even an Apple. Do you trust such companies with unfettered access to the entire GPS history of your vehicle?
This is too shady, especially for a company that you’re supposed to trust your family to. My vehicle’s location is my life, it’s where I go on a daily basis. It’s private. It’s mine. I shouldn’t have to have a company like OnStar steal my personal and private life just to purchase an emergency response service. Taking my private life and selling it to third party advertisers, law enforcement, and God knows who else is morally inept. Shame on you, OnStar. You disgust me.
To make matters even more insulting, it was difficult to ensure the data connection was shut down after canceling. I still have no guarantee OnStar did what they were supposed to. I had to request the data connection be shut down repeatedly, after the OnStar rep attempted to leave it on and ignore my requests.
When will our congress pass legislation that stops the American people’s privacy from being raped by large data warehousing interests? Companies like OnStar, Google, Apple, and the other large abusive data warehousing companies desperately need to be investigated.
These terms don’t go into effect until December 2011, and it takes up to 10 days to have the account fully cancel, and another 14 days for the data connection to be shut down… so if you want to get out of these new terms and conditions, you’ll need to do it soon.

Update:
Since writing this article, OnStar has reportedly told a few individuals that the contract requires them to obtain the customer’s consent in order to provide this information to anyone. Not true. In fact, the only mention of the word consent in their updated T&C is below:
We will comply with all laws regarding notifying you and obtaining your consent before we collect, use or share information about you or your Vehicle in any other way than has been described in this privacy statement.
Two points to make: first, this clause only applies to collecting and sharing information in any way that is not described in the privacy statement. All of the nefarious uses for your personal data are, quite clearly, described in the privacy statement, and so no consent would be required. Secondly, this paragraph makes it clear that they will only comply with all laws requiring consent, not that they will actually obtain your consent. I’m not a lawyer, but as far as I know, there are no such laws on the books in most (if not all) states that protect the consumer from having their private information shared or sold to third parties, especially when such sharing is disclosed in a contract. In other words, the above paragraph seems to do nothing to require OnStar to obtain your consent to do any of this – and it’s my firm belief that OnStar’s only real interest is in OnStar. If you doubt this, the older version of the terms and conditions had two more consent clauses that are no longer part of the new terms and conditions.
Old Consent Clauses – Now Removed:
In General, we do not share your personal information with third-party marketers, unless we have asked for and obtained your explicit consent.
Of course, we will notify you, and where required, ask for your prior consent if our collection, use, or disclosure of your personal information materially changes.

roadkill · #2 (**permalink**) 21-09-11, 02:34 PM

We're moving back to medieval village concepts of privacy, with youtube enhancement. Want to watch my next colonoscopy live-blogged? No, neither do I.

There is a faint possibility that the human race will respond intelligently, by getting used to the weird range of animals that we are. Could we get used to walking down a street where a guy is fucking a goat and a girl is having her colon topped up with a strawberry milkshake - and where police and politicians have stalls selling sport bumper stickers that say THIS IS WHAT I LIED ABOUT TODAY?

FredFredson · #3 (**permalink**) 27-09-11, 03:32 AM

US senator wants FTC to put heat on "brazen" OnStar for privacy changes
OnStar says it will track customers even after they quit using service
By Layer 8 on Mon, 09/26/11 - 4:28pm.

Layer 8: US senator wants FTC to put heat on "brazen" OnStar for privacy changes

US Senator Charles Schumer (D-NY) sent a letter to the Federal Trade Commission to get the agency to investigate recent changes made to navigation and emergency services company OnStar made to its privacy practices.

The stink, in a nutshell, arose as OnStar last week said it would continue to collect information about customers of its onboard auto services even after their subscription ends - unless specifically instructed by the consumer not to. In the past OnStar would have ended such tracking when a subscription ended. OnStar typically collects data about customers' location, speed, driving habits and odometer mileage.

OnStar also said that it now reserves the right to sell data collected on the driving habits of former and current customers to other companies and organizations, including a driver's location, speed, odometer reading, seat-belt use and air-bag deployment.

More on auto security: US wants to build cybersecurity protection plan for cars

From the OnStar privacy statement:

The following key changes were made to our January 2011 Privacy Statement:

* We have added more detailed information about the information we collect about you and about your Vehicle, including how we collect your information, what we do with it and how we share it. For example, unless the Data Connection in your Vehicle is deactivated, information about your Vehicle may continue to be collected even if you do not have a Plan.
* In addition to other purposes set out in the prior version of the Privacy Statement, we may use the information we collect about you and your Vehicle to improve the quality of our Service and offerings and may share the information we collect with law enforcement or other public safety officials, credit card processors and/or third parties we contract with who conduct joint marketing initiatives with OnStar.
* Finally, we have added additional information about how OnStar safeguards your personal information.

Schumer, who also wrote to OnStar, called the company's new policy represented a brazen, almost unheard-of invasion of the privacy of potentially millions of drivers. Also, in his letter to the FTC, Schumer called for an investigation into whether OnStar's new policy constituted an unfair trade practice under Section 5 of the Federal Trade Commission Act.

"By tracking drivers even after they've cancelled their service, OnStar is attempting one of the most brazen invasions of privacy in recent memory," said Schumer. "I urge OnStar to abandon this policy and for FTC to immediately launch a full investigation to determine whether the company's actions constitute an unfair trade practice."

According to Schumer six million American drivers use OnStar. Through the use of GPS technology and a two-way connection between the car and the company, OnStar is able to track drivers' locations and give them alternative driving directions, emergency response in the case of an accident, and a host of other services. Most new GM vehicles come standard with OnStar and drivers are often given 3 months of service free when they purchase a car installed with the service.

Schumer said such policy changes put consumers at risk for having sensitive personal data collected and shared without their knowledge. Although OnStar claims that it will anonymize any consumer data before selling it, hackers have made it abundantly clear how even anonymized, aggregated data can be matched up to identify individual users, he said.

Follow Michael Cooney on Twitter: nwwlayer8

FredFredson · #4 (**permalink**) 28-09-11, 12:44 AM

Looks like they blinked!

OnStar Reverses Decision to Change Terms and Conditions
Will continue to protect customer and vehicle data privacy

2011-09-27

GM News - United States - News

DETROIT – OnStar announced today it is reversing its proposed Terms and Conditions policy changes and will not keep a data connection to customers’ vehicles after the OnStar service is canceled.

OnStar recently sent e-mails to customers telling them that effective Dec. 1, their service would change so that data from a customer vehicle would continue to be transmitted to OnStar after service was canceled – unless the customer asked for it to be shut off.

“We realize that our proposed amendments did not satisfy our subscribers,” OnStar President Linda Marshall said. “This is why we are leaving the decision in our customers’ hands. We listened, we responded and we hope to maintain the trust of our more than 6 million customers.”

If OnStar ever offers the option of a data connection after cancellation, it would only be when a customer opted-in, Marshall said. And then OnStar would honor customers’ preferences about how data from that connection is treated.

Maintaining the data connection would have allowed OnStar to provide former customers with urgent information about natural disasters and recalls affecting their vehicles even after canceling their service. It also would have helped in planning future services, Marshall said.

“We regret any confusion or concern we may have caused,” Marshall said.

About OnStar

OnStar, a wholly owned subsidiary of General Motors, is the leading provider of connected safety and security solutions, value-added mobility services and advanced information technology. Currently available on more than 40 MY 2011 GM models, OnStar soon will be available for installation on most other vehicles already on the road through local electronics retailers, including Best Buy. The OnStar Mobile App is a recipient of the 2011 Edison Award for Best New Product in the Remote Driving Aids segment and OnStar Stolen Vehicle Slowdown is a recipient of the 2010 Edison Award for Best New Product in the Technology segment. OnStar safely connects its more than 6 million subscribers, in the U.S., Canada and China, in ways never thought possible. More information about OnStar can be found at OnStar.com - onstar.com.

AnonymousIdiotSavant · #5 (**permalink**) 28-09-11, 04:24 AM

Half blinked?

Sounds like they'll still sell all your data to whoever, whenever, just not after you cancel your membership.