OnStar Begins Spying On Customers’ GPS Location For Profit

Eugen Leitl eugen at leitl.org
Wed Sep 21 03:07:38 PDT 2011


http://www.zdziarski.com/blog/?p=1270

OnStar Begins Spying On Customersb GPS Location For Profit

Posted on September 20, 2011 by Jonathan Zdziarski

I canceled the OnStar subscription on my new GMC vehicle today after
receiving an email from the company about their new terms and conditions.
While most people, I imagine, would hit the delete button when receiving
something as exciting as new terms and conditions, being the nerd sort, I
decided to have a personal drooling session and read it instead. Ibm glad I
did. OnStarbs latest T&C has some very unsettling updates to it, which
include the ability to sell your personal GPS location information, speed,
safety belt usage, and other information to third parties, including law
enforcement. To add insult to a slap in the face, the company insists they
will continue collecting and selling this personal information even after you
cancel your service, unless you specifically shut down the data connection to
the vehicle after canceling.

The complete update can be found here. Not surprisingly, I even had to scrub
the link as it included my vehiclebs VIN number, to tell OnStar just what
customers were actually reading the new terms and conditions.

The first section explains the information thatbs collected from the vehicle.
No big deal. Sounds rather innocuous and boring. I imagine most people
probably drool out and close the window by the time they get this far. Your
contact information, billing information, etc. is collected. Nobody cares
about tire pressure and crash information being collected b after all, thatbs
what OnStar is there for. Toward the end, youbll read about how GPS data is
collected, including vehicle speed and seat belt status. Again, in an
emergency, this is very useful and most customers want an emergency services
business to collect this information - when necessary. And the old 2010 terms
and conditions only allowed OnStar to collect this information for legitimate
purposes, such as recovering a stolen vehicle, or when needed to provide
other OnStar services to customers on demand. As you scroll down the list of
information collected, you see that once you get past important emergency
services (what we pay OnStar for), OnStar now has given themselves the right
to also use this information to stuff their pockets. OnStar has granted
themselves the right to collect this information bfor any purpose, at any
time, provided that following collection of such location and speed
information identifiable to your Vehicle, it is shared only on an anonymized
basis.b b This provides carte blanche authority for OnStar to now track and
collect information about your current GPS position and speed any time and
anywhere, instead of only in the rare, limited circumstances the old contract
outlined.

Anonymized GPS data? Therebs no such thing! Webve all seen this before b
anonymized searches, for example, that were not-so-quite anonymized. But in
this case, itbs impossible to anonymize GPS data! If your vehicle is
consistently parked at your home, driving down your driveway, or taking a
left or right turn onto your street, its pretty obvious that this is where
you live! Itbs like trying to say that someonebs Google Map lookup from their
home is banonymizedb because it doesnbt have their name on it. It still shows
where they live! Whatbs unique even more-so to OnStar is that the data they
claim they sell as part of their business model is useless unless itbs
specific; that is, not diluted to the nearest 10 mile radius, etc. This
combination of analytics, and their prospective customers (law enforcement,
marketers, etc) requires the data be disturbingly precise. Anyone armed with
Google can easily do a phone book or public records search to find the name
and address that resides at any given GPS coordinate.

So the GPS location of your vehicle and your vehiclebs speed are likely going
to be collected by OnStar and sold to third parties. What kind of companies
are interested in this data? OnStar would have you believe that respectable
agencies, like departments of transportation and  various law enforcement
agencies (for purposes of bpublic safety or traffic servicesb b A.K.A ticket
writing). I can imagine this data COULD be used for good, to create traffic
based analytics to improve future road construction or even emergency
response. But given that those types of decisions are only made once a decade
in most cities, OnStar isnbt likely to benefit much financially from
brespectableb companies.

What is more profitable to OnStar that your personal GPS data could be used
for? Hmm, well how about the obvious b tracking you and your vehicle. It
would be extremely profitable to be able to identify all vehicles within
OnStarbs network that frequently speed, and provide law enforcement btraffic
servicesb the ability to trace them back to their homes or businesses, as
well as tell them where to set up speed traps. Or perhaps insurance companies
who want to check and make sure youbre wearing your seat belt, or
automatically give you rate increases if you speed, even if youbre never in
an accident? How about identifying all individuals who shop at certain
stores, and using that to determine whose back yard to put the next God-awful
Wal-Mart store? How about employers who purchase these records from these
third parties to see where their employees (or prospective employees) travel
to (and how fast), sleaze bag lawyers who want to subpoena these records to
use against you if youbre ever sued, government agencies who want to monitor
you, marketing firms who want to spam you, and a long list of other
not-so-squeaky-clean people who use (and abuse) existing online, credit card,
financial, credit, and other analytics to destroy our privacy?

Add to this OnStarbs use policy of your personal information b the stuff that
does identify who you are and ties it to your GPS records. While I have no
problem using my personal information in events of an emergency, OnStar also
uses my information to ballow us, and our affiliates, your Vehicle Maker, and
Vehicle dealers, to offer you new or additional products or services; and for
other purposesb. So not only is OnStar going to sell my vehiclebs GPS
location data to a number of third parties, but theybre also going to use it
and my personal information for marketing purposes. Imagine your personal
data being sold to any number of their baffiliatesb, and a few months later,
you start to receive targeted, location-specific advertising based on where
youbve traveled. Go to Weight Watchers every week? Expect an increase in the
amount of weight loss advertising phone calls. Go to the bar frequently?
Anticipate a number of sleazy liquor ads to show up in your mailbox. Sneak
out to Victoria Secret for something special for your lover? You might soon
be inundated with adult advertising in your mailbox.

OnStarbs new T&C continues, explaining that part of the company may at some
point be sold, and all of your information with it. It sounds as though
OnStar is poising part of their analytics department to be purchased by a
large data warehousing company, such as a Google, or perhaps even an Apple.
Do you trust such companies with unfettered access to the entire GPS history
of your vehicle?

This is too shady, especially for a company that youbre supposed to trust
your family to. My vehiclebs location is my life, itbs where I go on a daily
basis. Itbs private. Itbs mine. I shouldnbt have to have a company like
OnStar steal my personal and private life just to purchase an emergency
response service. Taking my private life and selling it to third party
advertisers, law enforcement, and God knows who else is morally inept. Shame
on you, OnStar. You disgust me.

To make matters even more insulting, it was difficult to ensure the data
connection was shut down after canceling. I still have no guarantee OnStar
did what they were supposed to. I had to request the data connection be shut
down repeatedly, after the OnStar rep attempted to leave it on and ignore my
requests.

When will our congress pass legislation that stops the American peoplebs
privacy from being raped by large data warehousing interests? Companies like
OnStar, Google, Apple, and the other large abusive data warehousing companies
desperately need to be investigated.

These terms donbt go into effect until December 2011, and it takes up to 10
days to have the account fully cancel, and another 14 days for the data
connection to be shut downb& so if you want to get out of these new terms and
conditions, youbll need to do it soon.

 

Update:

Since writing this article, OnStar has reportedly told a few individuals that
the contract requires them to obtain the customerbs consent in order to
provide this information to anyone. Not true. In fact, the only mention of
the word consent in their updated T&C is below:

We will comply with all laws regarding notifying you and obtaining your
consent before we collect, use or share information about you or your Vehicle
in any other way than has been described in this privacy statement. 

Two points to make: first, this clause only applies to collecting and sharing
information in any way that is not described in the privacy statement. All of
the nefarious uses for your personal data are, quite clearly, described in
the privacy statement, and so no consent would be required. Secondly, this
paragraph makes it clear that they will only comply with all laws requiring
consent, not that they will actually obtain your consent. Ibm not a lawyer,
but as far as I know, there are no such laws on the books in most (if not
all) states that protect the consumer from having their private information
shared or sold to third parties, especially when such sharing is disclosed in
a contract. In other words, the above paragraph seems to do nothing to
require OnStar to obtain your consent to do any of this b and itbs my firm
belief that OnStarbs only real interest is in OnStar. If you doubt this, the
older version of the terms and conditions had two more consent clauses that
are no longer part of the new terms and conditions.

Old Consent Clauses b Now Removed:

In General, we do not share your personal information with third-party
marketers, unless we have asked for and obtained your explicit consent.

Of course, we will notify you, and where required, ask for your prior consent
if our collection, use, or disclosure of your personal information materially
changes.





More information about the cypherpunks-legacy mailing list