Maybe we should have a guide on vehicle privacy 
7 Likes
Just wanted to add.
We should have had it long ago 
4 Likes
Yeah, if only there were a single car manufacturer worth buying from 
3 Likes
5 Likes
Does that mean GM is now better rated than Renault in the previous car privacy investigation that Mozilla did?
Or will your private data suddenly “explode” out there after 5 years?
At least this has teeth for five years, but the fact that this isn’t outright banned says enough about the state of privacy for these corporations.
Why buy when you can build one yourself, Like Gentoo?
As featured in one of those Fast and Angry movies or something
I’ll see myself out now.
What tf… An Oct 2024 article? I thought they stopped producing them.
Since it’s temporary no it’s not any better.
Also I’m surprised Mazda wad never mentioned anywhere in the privacy community. In my research they seem to be more privacy respecting if especially you avoid using their app…
1 Like
I read in some reports that Mazda is not privacy respectful, I’m not invested on it now to find the source but there is the reddit discussion Reddit - The heart of the internet
I don’t think there is a single new car released that is privacy respctful.
This is why I clarified if you don’t use their app.
That’s the difference. (Also this doesn’t seem to be the same post I’ve found and doesn’t enforce the point), see:
https://redlib.freedit.eu/r/mazda/comments/ll3v7l/privacy_concerns_of_mazdas_connected_vehicle_auto/
Don’t get me wrong now that I reread it sure it’s not great still. It isn’t but it’s better than GM and other American brands like VW anywho. (and yes perhaps Renault and Dacia is still better I agree.)
for five years
Wowzers, they really do care about the people! /s
The proposal is now finalized by the commission:
The finalized order approved by the commission bans GM from sharing consumers’ geolocation and driver behavior data with consumer reporting agencies for five years.
Also, for the full 20-year duration of the order, GM must obtain express consent from consumers before collecting their data, using or sharing their connected vehicle data, with exceptions for emergency services.
The company must allow U.S. consumers to request copies of their data and seek its deletion, provide vehicle owners the ability to disable precise geolocation data collection, and enable them to opt out of location and driving behavior data collection (with some limited exceptions).
Ok so can GM “lend” someone else you data instead, and then pinky promise no money was exchanged*?
*something else of “no-value” was exchanged instead.
This is the scenario I had in mind. Big Corpo can, of course, wriggle its way through any wording by applying distilled oil from the sweat of lawyers it employs.
1 Like
Haven’t fully read the finalized report. But on first skim, it location data seems vulnerable. It separately defines “Covered Driver Data”, “Deidentified” information, and “Location Data” separately. “Deidentified” is attached onto “Covered Driver Data” to make the term “Deidentified Covered Driver Data”. It might be theoretically possible for GM to similarly construe the term “Deidentified Location Data”.
And as we know, location data cannot be meaningfully deidentified when it is precise enough to make reasonable inferences. For example, even if my location data has no identifer linking it to my personal identity, anyone can reasonably infer that it is me if they know where I work and live, and that I use my car to drive there.
Also, the 5 years thing seems to only say that GM cannot disclose driver data to “Consumer Reporting Agencies”. “Third Parties” are defined elsewhere, so it’s possible that they can still sell/share it to other non-consumer reporting agencies. The order says that they cannot…
[. . .] sell or share data with any Third Party with whom Respondents previously shared Covered Driver Data until that Third Party confirms receipt of the instructions requesting it to Delete all Covered Driver Data previously obtained from Respondents.
So if they want to sell data to the third parties that they’ve already sold to before, those third parties must confirm that they’ve received instructions from GM to delete data that they previously bought. This doesn’t prevent GM from selling to other third parties who they haven’t yet sold to.
Here is the definition of “Third Party”:
“Third Party” means any individual or entity other than Respondents; Affiliates; or a third party service provider of Respondents that: (1) processes, uses, or receives data collected by or on behalf of Respondents for and at the direction of Respondents and no other individual or entity, (2) does not disclose data, or any individually identifiable information derived from such data, to any individual or entity other than Respondents or a subcontractor to such service provider bound to data processing terms no less restrictive than terms to which the service provider is bound, and (3) does not use data for any purpose other than performing the services specified in the service provider’s contract with Respondents.
Notice in point 2 “individually identifiable information derived [bold added] from such data”. This might potentially include reidentifying “deidentified location data” and giving it back to GM or some other “subcontractor”. Subcontractors for third parties cannot lower the bar for how they handle data compared to the third parties (meaning they cannot sell that data if the third party does not sell it, for example).
But point 3 says that third parties must only use the data as it is described in their “contract” with GM, meaning it might be possible that they can sell that data if that’s what the contract says? Not too sure yet. But as long as they are not “Consumer Reporting Agencies”, GM can technically give third parties data?
Again, haven’t fully read the order. Only quickly skimmed it thus far.