My 2025 Mazda Miata has a CAN connected Telematics Control Unit that sends a bunch of data to Mazda on ignition off. Among this data is acceleration and velocity data along with coordinates sampled for where you were. It is also used as a gateway for the Mazda app to start your car, query your vehicle's tire pressure, etc. It is claimed that you can opt out of this by calling Mazda and being persistent.
The CAN traffic is unencrypted. It was pretty easy to MITM this module with a cheap arm Linux board and a can transceiver to enable writing a two way filter capable of blocking the traffic that didn't raise any DTCs (that I observed) and could be turned on/off by the user. I preferred this approach to complete disconnection of the module (which is noticeable via errors at the diagnostic port) or trying to faraday cage or disable the antennae on the TCU so it can't remotely send/receive. I can also turn off my module or completely remove it before I sell it.
I fear the next version of Miata will be an encrypted CAN like most other cars have moved to and even with my expertise I won't be able to access the latest safety features from new cars without surrendering what little privacy I've been able to claw back.
I opted to try the "beg the manufacturer to turn off the panopticon" approach[1]. The first time I got 2 hours of elevator music before hanging up, the second I went through 3 levels of customer support before they claimed it was done (3 days later). Might have to steal your approach to verify that though...
Have you posted any writeups or other information about how you built this? I'm eyeing a Mazda as a next car (I've never owned a car newer than a 2014, and outside of that one, any newer than 2006, but family safety needs may lead to getting a newer car soon), and telemetry seems like one of the few downsides to an otherwise good carmaker. Would be very interested to learn more!
> (I've never owned a car newer than a 2014, and outside of that one, any newer than 2006, but family safety needs may lead to getting a newer car soon)
I don't know much about automotive safety, but has much actually changed since 2014 in terms of safety standards? I had thought that by the 2010s, basically everyone big had already figured out how to build a relatively safe car from a structural standpoint. Or are you only talking about electronic assistive features, like proximity sensors or lane assist?
> The CAN traffic is unencrypted. It was pretty easy to MITM this module with a cheap arm Linux board
And you didn't poison their databases and statistics with fake data?? OMG, I'm thinking of buying one of these cars just for this opportunity! (No, I'm not.)
I suspect this data is made "anonymous" and sold to insurance companies and misc data brokers. If it's linked to my insurance company, I don't want to jack my rates. Further, I've thus far avoided a CFAA conviction and I'd like to keep it that way.
So, it's like credit scores, basically? Advertise a happy, meritocratic future for consumers, where the "better"/more responsible ones will reap massive rewards at the expense of the "worse" consumers, and then keep adjusting the brackets until the system is only used punitively - you don't really get anything from a high score nowadays, your only goal is clearing a certain low bar to avoid negative consequences.
Yeah exactly... it's stick or no stick, the carrot is the razor thin margin only used to keep you away from the competitors.
At this point car insurance has gotten so bad that it's becoming normal that you can save hundreds of dollars by switching providers every 6 months. These companies are probably making millions on people who are just too exhausted to switch constantly.
It would be an extremely totalitarian dynamic to be persecuted with the CFAA for modifying a device you own based on part of it having been (nonconsensually!) programmed by a third party to upload data to their own server. You own the device, so anything you do within that device is authorized. And the code that uploads the data is authorized to do so because it was put there by the same company that owns [controls] the servers themselves.
I do know that the CFAA essentially gets interpreted to mean whatever the corpos want it to mean - it's basically an anti-witch law - so it's best to steer clear. And this goes double with with the current overtly pay-to-play regime. But just saying.
(Awesome description btw! I really wish I'd find a buying guide for many makes/models of cars that detail how well they can be unshackled from digital authoritarianism. A Miata is not the type of vehicle I am in the market for (which is unfortunate, for several reasons))
Guessing passwords is an attempt to access privileged information you have no right to access, and could not otherwise access without bypassing security measures.
Guessing a URL is an attempt to access (potentially) privileged information which was not secured or authenticated to begin with.
A password is a lock you have to break. An unlisted URL is a sticky note that says "private" on the front of a 40" screen. It's literally impossible for that information to stay private. Someone will see it eventually.
The question can be easily inverted for the other side: if any user accidentally damages a service's functionality in any way, can they always be criminally liable? Can this be used by companies with no security or thought put into them whatsoever, where they just sue anyone who sees their unsecured data? Where should the line be drawn?
To me, this is subjective, but the URL situation has a different feel than something like SQL injection. URLs are just references to certain resources - if it's left unsecured, the default assumption should be that any URL is public, can be seen by anyone, and can be manipulated in any ways. The exception is websites that put keys and passwords into their URL parameters, but if we're talking solely about the address part, it seems "public" to me. On the other hand, something like wedging your way into an SQL database looks like an intrusion on something private, that wasn't meant to be seen. It's like picking up a $100 bill of the street vs. picking even the flimsiest, most symbolic of locks to get to a $100 bill you can see in a box.
>The question can be easily inverted for the other side: if any user accidentally damages a service's functionality in any way, can they always be criminally liable? Can this be used by companies with no security or thought put into them whatsoever, where they just sue anyone who sees their unsecured data? Where should the line be drawn?
I don't think the question can be inverted like that, not meaningfully anyway. The CFAA specifically requires one to act knowingly. Accidentally navigating to a page you're not supposed to access isn't criminal.
>To me, this is subjective, but the URL situation has a different feel than something like SQL injection.
I don't think the url below is necessarily that different.
> GET wordpress/wp-content/plugins/demo_vul/endpoint.php?user=-1+union+select+1,2,3,4,5,6,7,8,9,(SELECT+user_pass+FROM+wp_users+WHERE+ID=1)
> if it's left unsecured, the default assumption should be that any URL is public, can be seen by anyone, and can be manipulated in any ways
It can be, but not lawfully so. It's not possible to accidentally commit a crime here, for example in the IRC logs related to the ATT case the "hackers" clearly understood that what they were doing wasn't something that AT&T would be happy with and that they would likely end up in court. They explicitly knew that what they were doing was exceeding authorized access.
> On the other hand, something like wedging your way into an SQL database looks like an intrusion on something private, that wasn't meant to be seen
I think you've reached the essence of it. Now, let's say you just accidentally find an open folder on a bank's website exposing deeply personal KYC information of their customers. Or even better, medical records in the case of a clinic.
Lets say those files are discoverable by guessing some URL in your browser, but not accessible to normal users just clicking around the website. If you start scraping the files, I think it's pretty obvious that you're intruding on something private that wasn't meant to be seen. Any reasonable person would realize that, right?
> GET wordpress/wp-content/plugins/demo_vul/endpoint.php?user=-1+union+select+1,2,3,4,5,6,7,8,9,(SELECT+user_pass+FROM+wp_users+WHERE+ID=1)
This is why I tried to make the clarification that I was referring to the address part of the URLs only, not the parametrized part. In my mind, something like /users?key=00726fca8123a710d78bb7781a11927e is quite different from /logins-and-passwords.txt. Although, parameters can also be baked into the URL body, so there's some vagueness to this.
> I think you've reached the essence of it. Now, let's say you just accidentally find an open folder on a bank's website exposing deeply personal KYC information of their customers. Or even better, medical records in the case of a clinic.
I guess if I try to distill my thoughts down, what I really mean is that there should be a minimum standard of care for private data. At some point, if being able to read restricted data is so frictionless, the fault should lie with the entity that has no regard for its information, rather than the person who found out about it. If a hospital leaves a box full of sensitive patient data in the director's office, and getting to it requires even the minimal amount of trespassing, the fault is on whoever did so. But if they leave that box tucked away in the corner of a parking lot, can you really fault some curious passer-by that looked around the corner, saw it and picked it up? Of course, there's a lot of fuzziness between the two, but in my mind, stumbling into private data by finding an undocumented address doesn't clear the same bar as bruteforcing or using a security vulnerability to gain access to something that's normally inaccessible.
same as this famous case, in which a supreme court justice is asked "what is and is not pronographie" - of course he realizes if he defines "what is not" people are going to make all kinds of porn right on the boundary (see: japanese pronographies where they do the filthiest imaginable things yet censor the sensitive books, making it SFW in the eyes of their law). this judge avoided that.
Anyways, parallel to the fact that filthy pronographies can be made a gorillion different ways, a "hack" may be manifested also a gorillion different ways. Itemizing such ways would be pointless. And also in the same vein, strictly defining a black and white line "this is legal, this is not" would cause hackers to freely exploit and cheese the legal aspect as hard as possible.. businesses and data miners and all these people would also freely exploit it, at massive scale and with massive funding, since it is officially legal. Thusly it must be kept an ambiguous definition as with pronographies, as with many things
Do you think the current line, where it's based on you "knowingly" exceeding your access or deliberately damaging the operation of a computer system, is excessively vague?
So if I deliberately exploit a bug on your website and download your customer database by typing things in my browsers URL bar, I should not be prosecuted?
Cyber attacks are consentual, digital engineering is the only discipline where we have complete mastery of the media. If you make a system (or authorize it) what someone does with it is your fault.
But when it's just a sequential-ish ID number, you have to accept that people will change the ID number. If you want security, do something else. No prosecuting.
I can't say I've ever struggled to make this determination, but I don't make a habit of trying random ports, endpoints, car doors, or brute-force guessing URLs.
But it was very tempting when i saw that my national exam results were sent to us in a mail as nationalexam.com/results/2024/my-roll-number. Why would i not try different values in the last part.
Try it once to see if it works, you'll probably be fine.
Find out that it works, and then proceed to look up various other people? Whether you're fine depends entirely on whether or not you genuinely believe that you're supposed to be accessing that stuff.
Passwords are different from URLs because URLs are basically public, whereas passwords aren't supposed to be. Furthermore, this is not 1995. Everyone who is in the industry providing IT services is supposed to know that basic security measures are necessary. The physical analogy would be, walking through an unlocked and unmarked door that faces the street in a busy city, versus picking a lock on that door and then walking through it.
> Everyone who is in the industry providing IT services is supposed to know that basic security measures are necessary.
And everyone who doesn't have wool for brains knows to not carry large rolls of cash around in a bad part of town, but we can still hold the mugger at fault.
Nevertheless, URLs are as public as door knobs. If someone is merely observing that a door is unlocked and they have not stolen anything, they have done nothing wrong. People being prosecuted over discovery and disclosure of horrible design flaws based on URLs should never be prosecuted. If they use the information to actually cause damage, we can be in agreement that they are responsible for the damage.
>People being prosecuted over discovery and disclosure of horrible design flaws based on URLs should never be prosecuted. If they use the information to actually cause damage, we can be in agreement that they are responsible for the damage.
Are you sure? I seem to remember people getting burned for publicly disclosing security vulnerabilities after stubborn agencies refused to fix them for years. Stuff like, exposing thousands of SSNs through a public gateway... We are literally having this discussion on URLs because of famous cases where people DID face unfair treatment. I don't recall any actual fix for this legal chicanery either. If you do, I would be very interested.
As a strictly logical assertion, I do not agree. Guessing URLs is crafting new types of interactions with a server. The built in surveillance uploader is still only accessing the server in the way it has already been explicitly authorized. Trying to tie some nebulous TOS to a situation that the manufacturer has deliberately created reeks of the same type of website-TOS shenanigans courts have (actually!) struck down.
As a pragmatic matter, I do completely understand where you're coming from (my second paragraph). In a sense, if one can get to the point of being convicted they have been kind of fortunate - it means they didn't kill themselves under the crushing pressure of a team of federal persecutors whose day job is making your life miserable.
>(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
If your goal is to deliberately "poison" their data as suggested before, it's kind of obvious that you are knowingly causing the transmission of information in an effort to intentionally cause damage to a protected computer without authorization to cause such damage.
>Trying to tie some nebulous TOS to a situation that the manufacturer has deliberately created reeks of the same type of website-TOS shenanigans courts have (actually!) struck down.
This has very little to do with the TOS though, unless the TOS specifically states that you are in fact allowed to deliberately damage their systems.
And no, causing damage to a computer does not refer to hackers turning computers into bombs. But rather specifically situations like this.
It's a legal term, has nothing to do with technical protections.
Practically any device connected to the internet is a "protected computer".
The only case I can think of where the defendant prevailed on their argument that the computer in question was not a "protected computer" was US v Kane. In that case the court held that an offline Las Vegas video poker machine was not sufficiently connected to interstate commerce to qualify as a "protected computer".
A computer being supplied with false data which it then stores is not damaging the computer - hence there being a provision about fraud. But for this case it's not fraud either, as the person supplying the data is not obtaining anything of value from the false data.
You are construing "integrity" to mean lining up with their overarching desires for the whole setup of interconnected systems regardless of who owns each one. By that measure, stopping the collection of data is impairing its availability on their system.
I would read that definition as applying only to their computer system - the one you aren't authorized to access. This means the integrity of data on their system has not been affected, even if the source of that data isn't what they'd hoped.
As I said, the law contemplates a different call out for fraud. This would not be needed if data integrity was meant to be construed the way you're claiming.
(For reference I do realize the law is quite unjust and I'll say we'd be better off if the entire law were straight up scrapped along with the DMCA anti-circumvention provisions)
I had assumed you were coming from a similar position, and your argument was more of a reductio-ad-absurdum.
But if you're not - the fact it's putting a chilling effect on this activity right here is a problem.
Another big problem is the complete inequity. It takes the digital equivalent of hopping over a fence and turns it into a serious federal felony with persecutors looking to make an example of the witch who can do scary things (from the perspective of suits).
Another glaring problem is that if the types of boundaries it creates are noble, then why does it leave individuals powerless to enforce such boundaries against corpos, being easily destroyed by clickwrap licenses and unequal enforcement? Any surveillance bugs/backdoors on a car I own are fundamentally unauthorized access, and yet I/we are powerless to use this law to press the issue.
>I had assumed you were coming from a similar position, and your argument was more of a reductio-ad-absurdum.
>But if you're not - the fact it's putting a chilling effect on this activity right here is a problem.
I've personally had my own CFAA-related criminal troubles in the distant past, but I still have a hard time seeing the big problems with CFAA so often touted on HN.
The activity of childish vandalism by flooding Mazda servers with garbage data? There's no chilling effect on simply not sending any data to Mazda.
The activity which was proposed earlier was explicitly malicious in intent, why shouldn't there be a chilling effect put on it? Do you not think the government should generally protect you from people taking explicitly malicious actions aimed at causing you harm?
In this context it is the motivation that makes the crime. You could absolutely modify your car in a way where the data sent to mazda is replaced with zeroes or random data, but you would need to do so in good faith.
Of course, when the activity is explicitly malicious as stated above ("poison their databases and statistics with fake data") it's not surprising that you'd be in violation of the law.
>Another big problem is the complete inequity. It takes the digital equivalent of hopping over a fence and turns it into a serious federal felony with persecutors looking to make an example of the witch who can do scary things (from the perspective of suits).
I just don't think this is actually happening. The cases often spoken of here are Auernheimer and Swartz.
I have a hard time believing that anyone can read the court files in the Auernheimer case and argue in good faith that such behavior should be legal. Among other things, the court papers contain a chat log of the co-conspirators discussing how to they should use the data they've scraped from buggy AT&T site to spam AT&T customers with malware. In the end that was too complicated, so they arrived at trying to leak the data in most damaging way possible to hurt AT&T share prices.
Swartz performed an admirable act of civil disobedience and faced up to 6 months in prison for that (realistically, he'd most likely never have spent a day in prison). I think what Swartz did is admirable, but that doesn't mean what he didn't shouldn't have been illegal. Just as what Snowden did was admirable, but legalizing such activities would have catastrophic consequences.
>Another glaring problem is that if the types of boundaries it creates are noble, then why does it leave individuals powerless to enforce such boundaries against corpos, being easily destroyed by clickwrap licenses and unequal enforcement?
I feel like this is conflating the problems that CFAA seeks to address with a completely different set of problems.
Corporations are bound by the CFAA just as much as you are, it's just that companies are rarely in the business of doing this sort of crime. Just as companies are rarely in the business of selling heroin.
> Any surveillance bugs/backdoors on a car I own are fundamentally unauthorized access, and yet I/we are powerless to use this law to press the issue.
The fact that CFAA mostly does not address these particular issues is not a problem with the CFAA, people (or companies!) buying devices with software they don't like was never something CFAA was intended to address.
There are reasonable, effective legal solutions to surveillance like this, like the GDPR.
It might be interesting for an enterprising lawyer to try to flip this around. Suppose you send a letter to your car manufacturer saying that, as the owner of the car, you are prohibiting them from accessing the location of the car or performing unauthorized software updates and that any attempt to circumvent this will result in criminal prosecution for unauthorized access to your computer.
If you were to purposefully try to poison/damage their dataset and admitted as such you probably wouldn't win without spending an unreasonable amount of money on lawyer fees. Without admitting anything though and claiming ignorance it would probably be pretty easy to get dismissed, provided you are able to spend atleast some money on a lawyer.
Sure, I have the same attitude when it comes to the government telling me that I'm not allowed to use drugs. Doesn't mean I'm in the clear from a legal point of view.
However, it's worth clarifying that the important detail isn't generating the data, but sending it. Particularly the clearly stated malicious intent of "poisoning" their data.
This seems like exactly what the lawmakers writing CFAA sought to criminalize, and is frankly much better justified than perhaps the bulk of things they tend to come up with.
>(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
Doesn't seem exactly unfair to me, even if facing federal charges over silly vandalism is perhaps a bit much. Of course, you'd realistically be facing a fine.
No, "protected computer" refers to computers protected by the CFAA.
>(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
>(B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.
Just make sure you are criticizing the industry on things that are real. Accurate data collection (put not necessarily publication to a broad audience) is something industry does. Decision makers want to understand reality, they don't necessarily want you to though.
Draw the old twig and berries in gps coordinates in hundreds of random cities, with velocity between points carefully kept to regular traffic speeds every single day until they shut the modem off.
I see absolutely no reason not to completely unplug the cellular modem. The only thing that would stop me is an annoying error message or warning light in the gauge cluster. My car does not display any of these, but unplugging the modem results in losing the right speaker and microphone, unless a bypass harness is used.
The modem is usually in the sharkfin with the XM radio chipset and GPS. If you can unplug it at the sharkfin that's usually the best course of action. Some cars may bark at you, but mine just says it can't detect GPS if I attempt to use it (which I never use anyway).
Wouldn't it be better to connect resistive pigtails to the antenna connectors on the board? A little more work to get to, but less risk to damaging paint and weather seals, and would do a better job preventing signal leakage. I'm no expert on such things, but will definitely be looking at something like that for the next car I buy.
Not sure what you mean, the antennas are on the sharkfin board and you get to it from under the headliner not from the top of the car. It's much easier just to disconnect the cable that goes to the sharkfin than actually removing the entire module in the sharkfin.
They don’t want people modifying ADAS systems mostly, and the main requirement is SecOC, which is cryptographic authentication but the message is still plaintext. Basically they don’t want third party modifications able to randomly send the “steer left” message to the steering rack, for example.
The ADAS systems mandated in Europe are insanely intrusive. I had a few rental cars in Europe this summer and wanted to send them off a cliff. (and I'm not an auto tech luddite, I've had modern cars in the US with autopilot type systems, lane keep, blind spot warning, rear traffic assist radar, forward collision warning, etc. IMO rear traffic assist/FCW/AEB tend to work really well, autopilot pretty well, and lane keep and blind spot silly gimmicks at best).
Bring on the full self-driving cars, or let me drive my own car. This human-in-the-loop middle state is maddening. We're either supervising our "self-driving, but not really" cars, where the car does all of the work but we still have to be 100% aware and ready to "take over" the instant anything gets hard (which we know from studies is something humans are TERRIBLE at)... Or, we're actively _driving_ the car, but you're not really. The steering feel is going in and out as the car subtly corrects for you, so you can't trust your own human senses. Typically 40% brake pedal pressure gets you 40% brake pressure, unless you lift off the throttle and hop to the brakes quickly, in which case it decides when you apply 40% pedal pressure you actually want 80% brake pressure. Again, you can't trust your human senses. The same input gets different outputs depending on the foggy decisions of some computer. Add to that the beeping and ping-ponging and flashing lights in the cluster.
It's like clippy all over again. They've decided that, if one warning is good and helpful, constant alerts are MORE good and MORE helpful. Not a thought has been given to alert fatigue or the consequences of this mixed human-in-the-loop mode.
So much this. We had a rental BYD in Greece this summer, and while it was actually great car in general the mandated “assistance” was awful.
It constantly got the speed limits wrong, constantly tried to tug me out of the correct lane, and was generally awful. It could be disabled but was re-enabled on each restart of the ignition because it’s mandated by EU regulation.
I appreciate a Greek island perimeter road may be a worst case scenario, but it did the same with roadworks on the freeway and many other situations.
“Lane keep” yanks the wheel dangerously because it incorrectly detects the lane, or because you don’t indicate to pass a pothole on an empty road (which itself would be confusing to other road users)
Forward collision warning has misfired on 2 occasions on me in the last 3 years
The main issue is that so many cars have broken “auto dipping” headlights which don’t dip, or matrix headlights which don’t pick out other cars.
This automation shit should stop, but it won’t.
parking beepers are reasonable, they simply come on occasionally and don’t actually interfere when they go wrong. The rest of it just makes things far worse at scale.
> Forward collision warning has misfired on 2 occasions on me in the last 3 years
My Lexus is afraid of a bush behind my garage in the alley. It's on a neighbors property and not really overgrown, but my car refuses to get within about 5 ft of it. Makes backing out a nightmare. I haven't figured out a way to disable it, and have considered just selling this 2025 NX.
I integrated SecOC on some ECU's at work. I hate myself for it. I frigging hate what they're doing with this. I think it's going to make cars less repairable, less modifiable. It's a horrible horrible stupid initiative in the name of "cybersecurity".
I understand notionally where they were going, but it all sort of went off the deep end somewhere along the line. A concern that someone buying some "mileage blocker" or whatever other shady device off of AliExpress might be vulnerable to the device steering their car into a wall is actually quite a valid one, but of course the solution is some overcomplicated AUTOSAR nightmare that doesn't solve for key provisioning in a way to make modules replaceable.
I have less trust in their good intentions. I think OEM's want to lock down their platforms in order to squeeze extra revenue streams. And I tend to be quite charitable with my interpretations.
As an aside, I checked out your GitHub. Cool projects, the vag flashing tool looks super useful, might actually give it a spin in sive development projects.
Remove the antennas. Do not give in to the mirage of convenience.
Use a stand alone generic GPS. Vehicle GPS devices are anti privacy for so many reasons.
Listen to stored music from an SD card if terrestrial radio (NO SATELLITE). Did you know almost ALL late model cars can play a <128gb FAT32 USB drive with non- vbr mp3s? 64gb filled with 168kb mp3 audio would take roughly 3 years at 4 hours a day to listen to.
TURN YOUR PHONE OFF. Your phone does more than track you - the Bluetooth and wifi beacon scanners are always running. When you come across another person, most phones track the intersection of your beacon with theirs making a new data point that compromises both individuals privacy. Now consider sitting at a stoplight; you and and the 10 phones around you have now correlated the time and position you were sitting there. The person jogging by with no phone(but a set of Bluetooth headphones) is also tracked by their Bluetooth signature. Terrifying.
Disable autonomous driving hardware by unplugging the cables from the interior cameras. If your car needs to see and feel you in order to do it's job, it's co-dependent; break up with it.
Ignore your car's complaints and error messages. Did you know Orange dash error lights are non critical?
> Did you know Orange dash error lights are non critical?
Your car will happily display an orange light while a bad fuel mixture is poisoning your catalytic converter to the point where it needs replacing to meet any kind of emissions test. Same with other signs of engine stress.
Don't ignore dash lights unless you know what they mean or you're willing to pay the cost of disposing of your car.
Of course many places won't even allow you to disconnect all the antennae as a non-functional TPMS makes your car unroadworthy in various jurisdictions. You could quickly reconnect everything and clear the error codes before testing, but I'm not sure if the hassle is even worth the illusion that of being untraceable.
>TURN YOUR PHONE OFF. Your phone does more than track you - the Bluetooth and wifi beacon scanners are always running. When you come across another person, most phones track the intersection of your beacon with theirs making a new data point that compromises both individuals privacy. Now consider sitting at a stoplight; you and and the 10 phones around you have now correlated the time and position you were sitting there. The person jogging by with no phone(but a set of Bluetooth headphones) is also tracked by their Bluetooth signature. Terrifying.
All phones nowadays have bluetooth/wifi mac address randomization, so it's basically useless for tracking, not to mention google/apple conscripting every phone into a wardriving network will kill battery life. Moreover all this effort in avoiding being tracked doesn't really mean much when all cars have a very visible and unique identifier that's mandated by law (ie. license plate).
> Moreover all this effort in avoiding being tracked doesn't really mean much when all cars have a very visible and unique identifier that's mandated by law (ie. license plate).
I agree with the first half, but not this. The difference between people seeing your license plate and your car/phone/etc systematically recording and storing your exact position is the same as the difference between someone on the street seeing my face vs. a facial recognition camera identifying me and storing that data point forever. People don't memorize or care about your plates. The police could take note of them or even put it on some record, but the number of cops is so low (and the number of cops that would care about my license plates is even lower) that whatever scraps of data are recorded would probably be pretty useless - and besides, that data isn't sold off to private entities, at least where I am.
But in exchange for being tracked we've been saved from the scourge of occasionally checking our tire pressure. Why, I'd give up almost anything just to be slightly more comfortable.
Yeah that's terrible advice. Learning to ignore safety warnings is an amazing way to wind up stranded or with a destroyed car because you decided to ignore a warning light
Check your tire pressures when you get gas, along with your oil and other fluid levels. Eyeball the tires every time you get in the car. These habits are not hard to develop and they will work even when the sensors malfunction (which is not infrequently).
All that these sensor-based systems do is train you to be an inattentive car owner.
All these low profile tires do make it a lot harder to eyeball your tires to an acceptable level and tell if they are low. But low profile tires are just in general kind of crappy already.
I do have a walk around the car before I set forth, but stuff happens.
Some drives are very long -- hours and hours between stops. I've had tires that aired themselves down during a drive. TPMS can alert me to that issue before I get an opportunity to have another walk-around, so I can stop and address it before it becomes a safety concern.
It's fine if someone want to live in a world without monitoring systems; anyone is free to drive an old car with points ignition and a carb if they want (or mechanical diesel! with an air starter, even! no electricity needed at all!).
And sure, there's a certain joy to driving something of relative mechanical simplicity.
But I like modern cars. And I like things like temperature gauges, closed-loop electronic fuel injection, oil pressure indicators, ABS, traction control, backup cameras, and [I dare say] tire pressure monitoring. I like cruise control. I like headlights that turn themselves on when necessary, and off again when they're unnecessary.
And as one might correctly surmise: It doesn't have to be that way: There's other ways to live. A person can also choose to walk, ride a bike, use a horse, commit to a lifestyle that is centered around public transportation, or whatever. The world is full of options.
I've chosen my path, and you can also choose yours.
(And no, that doesn't make me inattentive. My path involves both a belt and suspenders.)
Information is good but the number of "slow leak on a long drive" failures made less inconvenient by TPMS almost certainly pales in comparison to the inconvenience of maintaining the system for the average consumer.
Acting like all this is a safety concern is just textbook internet comment section lying through ones teeth type behavior. Yes, anything can be a safety concern at the limit but even tire failures on the road to not typically elevate to that level. The following framing of "well just drive an old car if you don't like it" is more of the same sort of dishonesty with a veneer of plausible deniability on top. There's no reason these systems need to be built in a way that they can't be disabled and leak PII. There's no reason just about all the systems you're trying to frame as a "bundle" have to be bundled in the first place.
Low tire pressures are a safety problem. Low tire pressure increases the likelihood of catastrophic tire failure. People can (and do!) die from catastrophic tire failures (and from complications of them, like being run over while changing a tire on the side of the road).
I'm not acting. This is not a performative display.
But yes: While I'm happier in a world with TPMS, I'd be even happier yet in a world where it was a quick and simple job to disable it in a reversible way. (Perhaps in some manner similar to the incantations used to disable the passenger seatbelt chime in many cars.)
Nonsense. People are still driving cars without TPMS, they can feel the difference while driving and do tire pressure checkups regular intervals depending on run. No issue.
Of course. A skilled driver knows their car very well, and can note by feel that the car is pulling somewhat to one side and correctly identify that this is due to low tire pressure instead of an external effect like road condition or wind, and then decide whether to address it or keep going.
A skilled driver can notice all kinds of other stuff using their senses, too.
For instance: When there's a plume of coolant coming out of the hood in front of them, they can deduce from observation that the engine temperature may be very high. They can also identify low oil pressure by observing the clacks and bangs of an engine that is starved for oil and tearing itself apart, or even by the silence of an engine that has ceased.
Or: Information. A light can illuminate on the dashboard the before these conditions are pronounced enough to feel, and the driver may then elect to use this abundance of information to take action before it snowballs into something that may become expensive or dangerous.
Throughout my entire life, I don't know if I have ever seen anyone measuring their tire pressure or checking their oil at a gas station. Visually assessing tires can be quite misleading as well - my TPMS indicator was just on, visually it looked like one tire (its pressure was fine), and the tire that was 10psi low looked normal.
Falling back to an attitude of not needing automation and instrumentation is a cope, and often a poor cope at that. The problem isn't the dash warning lights of the past several decades, it's the built in corporate surveillance hardware of the past single decade (and the corresponding violation of user trust in favor of corporate control).
I don't see it often either, but my government has been very active trying to get people to do bi-monthly tire pressure checks at the very least.
I don't think most people know how to do it, to be honest. Partially because people seem to think reading two pages in a manual is some kind of sisyphean task that no mortal should ever be cursed with.
It's pretty crazy how little people care. Even if you don't care about the safety aspect, keeping your tires inflated well saves you a ton on fuel and tire replacements.
Checking oil at once universal full-service gas stations used to be extremely common. Think it pretty much went away in late-70s petroleum shortage in the US. With modern cars, it just doesn't make a lot of sense given any semblance of scheduled maintenance adherence.
I (again) have a low pressure warning on one tire (getting colder in the Northern Hemisphere). It looks fine but I'll get my compressor out tomorrow and make the computer happy. A lot of modern tires can look pretty good even if, as you say, they can be quite a bit below recommended limits.
maybe an age thing? When I was in high school I worked at a gas station where we would pump the gas for customers at the "full service" lane and also check their oil. The game was to upsell people an oil change. Point is, everyone saw people getting their oil checked every time they filled the tank.
My point was that this is not any sort of widespread normalized behavior in the US in the past few decades. I was responding to a comment preaching as if this was routine behavior, and that people not doing it are simply being "inattentive".
I do get that it used to be a thing in the past. But that was also when oil was rated for 3k miles (I think? maybe it was even lower) and engines would routinely burn oil (ie consume it without leaving a drip spot on the ground). Whereas in the modern day, 15k synthetic exists.
FWIW, I probably do more of my own maintenance than the median HNer. I'll admit I can let intervals slip more than I'd like and I'm working on that, but this idea that everyone is checking fluid levels all the time just seems wildly off base.
>Falling back to an attitude of not needing automation and instrumentation is a cope, and often a poor cope at that.
A lot of modern automation is not really automation. A washing machine is automation: it takes a task which would have wasted hours of your day and reduces it down to a few minutes. A lot of modern "automation" doesn't save you any actual time time, but just saves you from being attentive:
- Checking your tire pressure doesn't take much time, but TPMS is a privacy problem and an added maintenance cost that you cannot opt out of.
- A power rear lift gate actually takes _more_ time than just shutting it with your hands.
- Power windows don't go down any more quickly than power windows. The only only benefit here is that you can open all 4 windows simultaneously. However this is a luxury, not something which saves you time. You never _need_ all 4 windows down. So maybe people like it, but it's not like the washing machine that actually saves you labor.
- etc ....
People think that needed to do or attend to anything is wasting time, but often modern automation saves no time whatsoever, and has other downsides. (privacy, maintenance cost, vehicle weight, etc.)
As someone who grew up in the pre-power-window 1970s and 80s, they absolutely do save time. You have to remember that manual crank windows went along with a lack of air conditioning. Being able to quickly roll down the windows (especially all four at once) in a hot car mattered.
My 2003 s-10 has AC and crank windows, my 2007 Ranger did too. Power windows sure are nice when you want to talk to someone out the passenger side and you don't have a passenger though. Or if you want a breeze regardless of AC.
> Power windows sure are nice when you want to talk to someone out the passenger side
Presumably the fundamentalists think you just need to yell louder. With neo-luddite opposition like this, its no wonder the surveillance society is winning.
It takes real time to get out a pressure gauge and check the pressure on each wheel, no? Furthermore, attention itself is a limited resource.
For example, power windows were always handy when getting on/off the highway and coming up to a toll booth where I'd have to give/take a ticket. It's much easier to hold a button (or even have a latching button) while spending my attention on actually driving.
I have one car with TPMS that's entirely done through the ABS controller measuring the relative diameters of the wheels. That's not a privacy or cost problem. Furthermore the privacy problem where wireless TPMS sensors are interrogatable is better framed as a security vulnerability in their design, rather than something intrinsic.
Weight is a red herring as I'd guess the fuel savings from having properly inflated tires outweighs the fuel spent on the extra mass.
Frankly? I do. Remove alcohol and drugs from the equation, and driving is an absurdly safe activity. Those intrusive features have very little to do with safety.
Yeah that’s great if you’re a CIA intelligence officer but what normal person can do this and still function in the modern world? Do the people who say this stuff leave their homes regularly?
And what’s the benefit of it all? Fewer targeted ads?
>Did you know Orange dash error lights are non critical?
That's not even remotely true for most cars. One of the most critical alarms you can get in a car is a flashing check engine light, which are usually orange.
Actually I wonder if cars will just adopt "oh-you-need-anti-theft" like phones do. To prevent auto theft, all cars will be tracked and all parts must match serial numbers.
> To prevent auto theft, all cars will be tracked and all parts must match serial numbers.
Well, I suppose that's one way to end third party repairs. Just refuse to turn on if the chip in the new part doesn't match up with a code in the ECU. Like printer ink, but for every major component.
'Error, cannot start engine: Authorised mirror not found. Please visit BMW for an authentic replacement. Driving with non-authentic mirrors may harm user safety.'
What's wrong with GPS in vehicles? If it's not connected to the internet, there is no issue.
What's wrong with playing music from the phone on Bluetooth or Aux? Did you also know you can ride a horse instead of a car?
Bluetooth and WiFi isn't running if you turned them off. Bluetooth also isn't really used for tracking unless someone is looking for you or you're part of some service like AirTags.
> Ignore your car's complaints and error messages. Did you know Orange dash error lights are non critical?
>It's connected to the Internet. Every car has a SIM card now.
Maybe every new car, but the average car is 13 years old, and the OP made no clarification on whether his advice was for only new cars, or for a 2015 econobox as well.
My car is older than that and came with an embedded SIM card. Quite a few navigation consoles had "live traffic updates" (often in trial format, but sometimes "lifetime") that basically consisted of 2G clients occasionally updating traffic data along planned routes. Not quite bottom of the line at the time, but also not uncommon at that point either. It's probably slightly worse than the dedicated satnav screens people were buying back when the car was new, although neither compares to what a smartphone will expose passively from just being inside of a moving car.
There's other ways to get local traffic data, too. For instance: Traffic Message Channel, which can be broadcast with RDS on an FM station, exists.
As long as stations persist that transmit the data (it's sent over RDS), then it will continue to work. There's no subscription involved (or at least, there isn't for my car -- it works where it works, and there's no mechanism by which to pay for using it).
On the one hand, they won't be able to communicate with the home base anymore. On the other hand, they'll light up the map like a Christmas tree if someone ever turns on a stingray in their vicinity.
Most people don't know, and will never know whether their car is connected to the internet, so it's better to assume it is unless you have specific information. The app or phone you connect to the car could also be a major exfil point of this data.
I sympathise. However, being able to start de-icing my car while still in bed at 5:30 on a January morning is a powerful feature. And I'm the kind of person who wraps his tin foil hat no less than 10 layers thick.
Ideally this shouldn't involve the internet, because the car is in wifi range, but what can I do about it?
You could probably get a 3rd party remote starter, however that is going to certainly cost you extra and probably won't be as simple as old school remote starters.
People are suggesting all over these threads what we can do about it, but we (as a population) aren't. When my 2009 car dies, I'm going to deliberately NOT buy a new trackingmobile, and try to find another 2009 car to keep running. Yea, that means I occasionally need to take 30 seconds to scrape ice off the windshield. Big deal.
The number of cars from 2003 is already dwindling and it's only going to keep going down. It's certainly much easier to find cars from the late 00s-early 10s right now if your only priority is not being tracked or bound to a web of different digital services and subscriptions.
I won't mince words. This is criminal and should be dealt with that way. It is obvious I don't want my information collected and sold. I make it clear every reasonable chance I get. This goes beyond abuse of my privacy, this is digital assault and the company officers that allowed these 'features' should be thrown in jail for it.
Disabling the hardware can be really hard, my 2025 Toyota Sienna is always connected. You can't just pull a fuse or rip out an antenna, I have to take the entire dashboard apart to reach the Data Communication Module (DCM) module. If anyone's curious what that looks like, it's a little bit easier on the Toyota Tacoma, here are some pictures of the process: https://www.tacoma4g.com/forum/threads/disabling-dcm-telemat...
It's complex enough that I haven't done it yet in my Sienna, but I plan to!
On a 2021 Camry there is an below-dash fuse labeled "DCM" which you can remove (and it does disable OnStar/telemetry, but not sat.radio[0]) — it also disables one of the speakers (used for phone calls), which there is a bypass to resolve (but it still requires removing infotainment, so at that point just unplug it there.?!).
[0] It was my understanding that, like GPS-receivers, Sirius/XM was one-way streaming, only..?
There are GPS antennas that land on that DCM and the data from that is forwarded over carplay/android auto. Phones fall back to their onboard GPS but it's a much worse experience than we're accustomed to. If you share the car with someone expect complaints. Pulling the cell antenna(s) is the most elegant solution. People shouldn't be afraid of a little work.
as a professional diesel mechanic for a small chain of midwest shops, this "telematics" feature is on long-haul trucks as well as tractors (john deer is notorious for using it to send mail marketing about services.)
generally its not hard to disable.
- identify the telematics module in your car
- pull the fuse (not always an option, sometimes this disables bluetooth)
- alternatively: identify the 1-2 SMC connectors on the telematics device. this is the LTE and low/alt channel for the cellular communications. disconnect these 1-2 connectors and connect the ports instead to a 50 ohm terminator. the vehicle will simply continue to collect data but never be able to send it anywhere. the system will assume it just cant find a tower.
I tried this with a wifi setup on a car charger. I connected a 50-ohm dummy load in place of the antenna using the mmcx connector.
It didn't work - there was an on-module antenna that it switched to. Might not have worked as well, but it did work and the wifi access point still showed up.
On the other hand, some cars have a self-contained telematics module like you said and you can just unpower the whole thing.
I remember looking at a ford owners manual for a 2019. The fusebox section had a fuse with description "Telematics control unit - modem." I assume you can just pull that fuse.
The Toyota community has been far down that road with the DCM module in the new gen cars and found that the car still managed to get updates out to Toyota even with 50 ohm terminating resistors in the antenna connectors: https://www.tacomaworld.com/threads/simpler-solution-for-dis... (see the posts by user "Disgruntled Scientist").
Unfortunately simply cutting power to the telematics module also disables the in-car microphone for handfree calling. Fully disabling telematics involves making a bypass harness that re-routes the microphone and speaker signals past the disabled DCM module.
Amazingly but perhaps not surprisingly, cars in the EU do similar amounts of spying on you, but the EU is silent. Car manufacturers pretty much run the EU.
I have an electric car and if I want to remotely turn on charging, it won’t allow me unless the full data sharing option is enabled. Full data as in your driving data like a black box logger. I then have to go in the car, enable it, then I can remotely turn on charging. I have to remember to opt-out again later. Ironic I know because I can turn on charging from within the cabin without having to enable any of the data collection. What an inconvenient experience.
So you're telling me that simply walking out to the car and hitting a button inside the car is just too much of an "inconvenient experience"?
You know we used to have to drive the car... sometimes many miles... to a station, get out, and fill it up with a liquid fuel that costs many times more, and then drive home...
Seriously now- The perceived 'inconvenience' you have is the reason that so many of these connected features are being pushed and then the because the ability is there the business types can't resist the data gathering that became possible because of all the antennas, etc.
Yes, because it's entirely possible to do. Hell, the manufacturer even charged a price when you bought the car, or I can pay the $20 for my lifetime share of server usage.
There are a few options. You can plug it in your garage and charging can automatically begin due to a set schedule, like after midnight, or you can initiate it on demand using the cabin controls or using your iPhone as a remote.
I found the vehicleprivacyreport.com site awfully misleading. The "Vehicle Privacy Label" only lists what the manufacturer's current policies are, not what applies to my vehicle. It makes it seem like Toyota is somehow remotely collecting and sharings tons of information about my...2007 Prius. But this car came out in 2006, well before people assumed easy internet connectivity everywhere. Shy of having physical access to my vehicle, they can't read anything, but it's not easy to find that explanation on the site.
I'd like to see a website that ranks vehicles by make and model. That would influence shopping behaviors, and consumers would influence manufacturer behaviors.
I think it's wild that people spend their own money to surveil themselves every second they're near their car. Maybe I've seen too much lawyering on TV and in movies, but if I'm in a collision with you, I'm definitely asking the cops to pull the SD card from your dashcam.
Whenever I point out I think this self-surveillance is crazy, the response ends up sounding something like "oh, no big, if I think I did something wrong I'll just hide the evidence and lie to the police and say it doesn't work", which sure doesn't sit right with me.
Why do you think potentially self-incriminating self-surveillance is "crazy" when you also think lying to the cops and other involved parties about what happened is bad? If you believe it's important to tell the truth in these situations, you should have no problem providing your own recordings of a collision, regardless of who is at fault.
Or is your point just about the cost of the dashcam being "crazy"? In that case, hypothetically, what if your insurance company cut you a check to buy a dashcam of your own choice and install it on your car?
I think they're saying "I don't want to self-incriminate so I don't want to put myself in a situation where I have to lie". I'm not sure it's entirely consistent, but I also don't think it's entirely inconsistent.
If you believe you are at fault in a collision where police, insurance, etc. are involved, they are going to ask for your statement, and at that point you will be forced to choose between lying or admitting fault. If you're glad that no dashcam footage exists, presumably you are going to lie about what happened! I don't see why this is any different than popping the SD card out of your dashcam and lying about that too—you're still lying, and for the same reason: to evade responsibility for a collision you caused.
I think this is a pretty black and white and simple view of things, fault is not always 100% clear, and CLAIMING fault is different from explaining what happened _from your perspective_, and letting the other driver do the same. But I'm not actually speaking about simple fault in a basic traffic collision.
Obviously 99.999% of traffic collisions never get this far, but I'm speaking more of the world of courtroom legal drama where you'd rather not have your in-car conversations recorded, or the fact that you drove around the block of the house where the murder occurred at 3am.
I think there's a huge asymmetry between the upside of the dash cam and the downside of self-surveillance. I'm much more likely to be in a fender bender than accused of murder, but I also _simply don't care_ if the police say I'm at-fault when I don't think I was, driving my insurance rates up for a few years. But I'm deeply uncomfortable with the idea of recording myself 24x7 whenever I'm in my car.
> I think this is a pretty black and white and simple view of things, fault is not always 100% clear, and CLAIMING fault is different from explaining what happened _from your perspective_, and letting the other driver do the same. But I'm not actually speaking about simple fault in a basic traffic collision.
Seems like having video (and GPS speed, etc.) can only make it clearer who (which may include both parties) is at fault? I still don't see how that can be a bad thing if you also aren't interested in lying about what happened.
> I think there's a huge asymmetry between the upside of the dash cam and the downside of self-surveillance.
I almost addressed the generalized surveillance angle in my original comment, but didn't since it seemed that your comment was focused exclusively on the context of having been in a traffic collision.
Addressing it now, I guess I am just not too worried about this angle when my dashcam simply records videos onto an SD card that I have complete control over. If I was a person likely to be targeted by my authoritarian government, I would probably think twice about having such an unencrypted SD card sitting around where it might be swept up in a bogus search and used to gin up additional bogus charges against me, but that is currently not my situation. Really, I can only imagine the video evidence collected by my dashcam being used to exonerate me in a scenario like the one you describe, e.g. if an LPR tagged me on the block where the murder happened but my dashcam clearly showed that I was just passing through.
In fact, this exact thing recently happened (https://www.cbsnews.com/colorado/news/flock-cameras-lead-col...) to a woman who was falsely accused of theft based on LPR data and used her Rivian's dashcam recordings (among other data) to get the police to drop the charges. It's insane that this happened in the first place, but that's beside the point here.
Of course, people using cloud-based dashcams are certainly exposing themselves to dragnet surveillance—which I do have a problem with simply on principle—but the data on my dashcam's SD card are fundamentally inaccessible to law enforcement until they obtain it in a physical search of my car.
Nothing you can realistically do about it. In America car ownership for most people is mandatory. It’s unfortunate we don’t have alternatives if you disagree with car manufacturers extra “features”.
On the other hand, it is not mandatory to vote for politicians who continue to make our cities car centric.
You are not doing anything wrong if you are forced into buying a car due to the circumstances of your living. But voting to continue that makes your culpable.
So your plan would be to get rid of cars? Wow it's almost like government regulation imposed to dissuade people from free travel via personal automobiles through a thorough enshitification is working in the direction of their intent.
You mean they're actually asking for 15 minute cities? Yes sir, they are. Very good.
Well it's not free, we pay a lot of money to subsidize the highways and roads. If you like your highways and roads and want that freedom, what's better than having fewer cars on the road? That's one of the things that diverting some public funds from highways to other transportation options helps achieve. For those who could get to work or perhaps get to the grocery store by walking, biking, hopping on a bus, or taking a tram/street car that's cars off the road to make your life better.
The alternative is to be aware of this abuse and unplug the cellular modem. It requires more or less effort depending on the car, but it can and should be done.
It’s not a good alternative though because it puts you into a losing competition with the manufacturers. Take out the cellular modem? Next one requires connectivity to drive the car and so forth.
You could “ban” it, but the amount of effort required to raise public awareness for that and actually have our dickhead representatives due things like that is basically the same amount of effort, perhaps more, as building better cities and transportation modes.
We build and subsidize highways, we could do the same with other methods of transportation and have competition instead of big gubmint cars.
In many parts of the US, individual vehicles are the only viable mode of transportation. In fact, even in the NYC metro area, a car is pretty much indispensable, unless maybe you live in Manhattan and only rely on home delivery for groceries and the like. If you ever want to do anything outside of the city, you need a car.
>Take out the cellular modem? Next one requires connectivity to drive the car and so forth.
Find the cellular antenna and replace it with a dummy load. The car will think it's sending the data just fine but all it's doing is turning radio waves into heat.
And so on and so forth up until it’s just not worth the hassle as it even is today for most people. This isn’t a good problem to be solved with hacking. It’s a public policy problem.
Public policy is failing at the moment, so you have to take matters into your own hands. If enough people do this, then it will effectively become public policy. Inaction is not a solution.
I personally am, but there's only so much I can do. I am involved in our regional planning commission for transportation, and routinely write letters and call my representatives. I may donate some money to some of our local transportation organizations, but I'm not sure that's a good use of money yet so I haven't.
I agree with you in general though that public policy is failing. Specifically it's failing here where we continue to engage in and direct poor public policy positions because the government is very entrenched and addicted to spending taxpayer dollars. Asking the public to continue to play a catch up game of voiding their car warranty instead of actually solving the problem via policy is, in my view, simply not going to work.
We could lobby together for new federal and state laws to prohibit this kind of tracking without the affirmative consent of the purchaser—or, at the very least, make opt-out as easy as sending an email.
I wonder what the extremely rich do to get a car that isn’t a security risk? I’ve heard you can throw money at high end car dealerships to disable spying, but I wonder what the internal process is.
It's easier than that, you can remove the cellular modem. Dealers won't generally accept to make this mod, but any independent shop should be able to. There are also plenty of videos on YT to DIY.
I some months back called every independent EV mechanic I could find a listing for in my state to see if they would help me disable the cellular modem of any of the models I was interested in buying, and they mostly told me either that they couldn't or wouldn't. One of the more polite shops I got in touch with explained that many models don't have a separate board that can be disabled anymore, or otherwise have more things on the board that need to be talking on the CAN bus for other, actually important parts of the car to function. As such, I still have my old car.
Since then, I've learned about the 50ohm dummy antennas you can buy. I might try that if my car dies before an AWD/4WD Slate truck becomes an option, and also if my living situation can accommodate charging.
I thought about getting a traditional navigator to avoid even relying on phone navigation.
Well, of course all the Garmins and Tomtoms available now have "built-in wifi for updates" and often BT for phone notifications too. Sure, I could just not configure either but what if I want a navigator _without any radios_ and with controlled updates via SD card.
Maybe a dedicated Android phone in the car with offline OpenStreetMaps installed and airplane mode on is more realistic. Or some old 2nd hand navi that's still updateable.
I did do this, but I also want a reasonable modern and safe car and in the EU, since 2018, that means a car with eCall. I have a 2017 that I will keep going as long as is economical, but after that, it will be nearly impossible to avoid these systems.
The idea that a 20 year old car is unsafe is auto industry FUD. Yes, there have been great safety advances since the 1970s and 1980s. They've kind of tapered off though. I would absolutely trust my family's lives in any year 2000+ vehicle.
> I would absolutely trust my family's lives in any year 2000+ vehicle.
I work partly in prehospital emergency medicine and I wouldn't.
I already feel uneasy with our 2017 EuroNCAP 5 star SUV due to the improvements since then, in particular AEB and increased structural crash-protection, which greatly change the injury profiles of accidents.
Airbag and crumple zone safety requirements for crashes that aren't head-on are much more recent than the 2000s. Many car makers designed their cars to pass those, but will leave you dead or worse if you get T-boned.
ABS wasn't even a requirement in the EU until 2004, and American cars could be sold without ABS all the way until 2012, when traction control was also made mandatory (which the EU then also followed).
Things like the slightly-angled side pole crash test was only added to the Euro NCAP in 2015 and was updated five years later to make it a bit more realistic, though cars still woefully fail in many real-life scenarios.
I wouldn't really consider a car "safe" unless it passes the ~2015 requirements for car safety well. A well-designed car full of optional safety features from the ~2010s is probably also safe, but I wouldn't count on it unless you've done research into it.
I believe Volvo has had a reputation of being ahead of the curve with these kinds of crash safety tests, but even they had to improve over time.
IIRC, Massachusetts passed a right-to-repair law a few years ago. Based upon the text of the law, all new cars purchased there have the spying disabled because they did not want to give up their proprietary info.
There have been a lot of court cases about that law by the manufacturers, so I do not know the status at this point.
So I wonder if that is still the case. If it is and an out of state person buys new there, will that "spying" remain disabled when they bring the car home ?
"Now, according to Reuters, NHTSA has written to automakers to advise them not to comply with the Massachusetts law. Among its problems are the fact that someone “could utilize such open access to remotely command vehicles to operate dangerously, including attacking multiple vehicles concurrently,” and that “open access to vehicle manufacturers’ telematics offerings with the ability to remotely send commands allows for manipulation of systems on a vehicle, including safety-critical functions such as steering, acceleration, or braking.”
Faced with this dilemma, it’s quite possible the automakers will respond by simply disabling telematics and connected services for customers in the state. Subaru already took that step when it introduced its model year 2022 vehicles, and NHTSA says other OEMs may do the same."
It wouldn’t be surprising if cars also record audio of conversations to use for ad targeting. It has already been conclusively shown that TV companies have done this.
IIRC, Nissan even has a clause in their privacy policy for selling information about passengers having sex. Pretty hard to collect that without audio data.
Interestingly I can't get ChatGPT to help me find a video showing me how to disable the cellular modem on my Subaru 2024 Crosstrek. Time to do some old-fashioned research, I guess...
I ripped the wifi / onstar and gps antennas out of my 2020 Chevy Bolt the day after I bought it. Took me a couple of hours since the access was awful, but that's one time pain. No issues since, and I have a phone I use to drive the head unit so there was no need for those antennas to even exist.
I went to Carvana to get some idea on what my car might be worth. I gave them the license plate, and it gave me a questionnaire about specific trim and options along with asking about the current mileage. I couldn't remember the exact figure so I guessed rounded to the thousand. The app complained and wouldn't take it as they knew the mileage which was some 150ish miles more. Apparently my car has reported the mileage last time I drive it, which has been about an hour before.
Carvana knew exactly how many miles I had driven within an hour of me driving my car.
For the same reason the IRS makes you fill out how much you made last year. They know—they know to the penny. But making you fill it out is a humiliation exercise so they can "catch you out" and intimidate you.
Well in the case of the IRS, that, and you know, Intuit.
It's rather surprising/disappointing that "advice" like this makes no mention of how the automobile gains internet access
Does it (a) have it's own SIM card, (b) piggyback on driver/passenger/other vehicle SIM cards, (c) opportunistically connect to free wifi APs, etc.
Perhaps the surveillance data is only transmitted to the mothership when the automobile is being "serviced"
The automobile OS may be like the other corporate OS, e.g., iOS, iPadOS, Android, etc., in that there is no possible configuration or combination of user settings that does not allow data collection and surveillance for unlimited commercial purposes
Giving car companies your money (and then modifying your car) is still rewarding car companies for their bad behavior. We really need to stop buying new cars and somehow make it clear that telematics are the reason, but it's never going to happen. Not enough people care, and of those who care, not enough of them care enough to stop buying these cars.
But what's the point if you're just going to use Android Auto or Apple's car-thing instead? You're just letting some other company invade your privacy.
Consent and convenience. When I use google maps, I am trading my privacy for accurate directions and traffic times. When I buy a car that sells my location, and I get nothing in return, I feel like the deal is inequitable.
OsmAnd works fine in Android Auto with WiFi and mobile data turned off. Sygic does too. I believe TomTom also sells navigation apps that will work fine under these conditions.
I use Android Auto mostly because I don't trust manufacturers of car components to maintain their software and to put more than bargain bin SoCs in their infotainment consoles. There's no need for your Android phone to have a connection to the outside world if all you're using it for is locally installed apps.
NYC is the absolute best case in the US, if you're talking about the ability to exist without a car. It's not that no one talks about those millions of households, it's that they are all concentrated on a few standout islands (literally!) in a sea of the nearly identical car-only supermajority of cities. It's the exception to all exceptions.
Most people live in cities, but the vast majority of American cities do not approach even 10% of the quality and availability of transit in NYC. That's why I said that NYC is a massive outlier among the rest of the US.
People who are "pushing an agenda" aren't arguing that there should be no cars ever, anywhere. Cars are the smallest-scale form of long-distance transport, they are unavoidable in low-density areas or for services that requires complete flexibility. All the agenda-pushers I've seen in real life are just saying that there's better options within cities, at least for a lot of people. Most of the time, most people only move within their cities, myself included. If transit within my city was in any way adequate, I would choose it over the car. I could cover those rare out-of-city edge cases with rentals or train travel.
Besides, it's not even the same in Europe. In a few countries, maybe, but in the majority the inter-city transit or transit within small towns is not even in the same universe as what's available in most of the US.
And even in most of those metros (OK. Leave aside Manhattan), not having a car tends to imply a lot of lifestyle choices in terms of activities, visiting friends outside of the metro, etc.
There are certainly people who are OK with living like they did in their urban school for a few years after graduation. But that's not a long-term solution for most people.
A massive chunk (if not majority?) of those top 20 metro areas are largely car dependent for most of their populations. Large areas don't have any public transit at all, and the rest is often designed to be actively hostile to pedestrians.
Try living without a car in these places, all in the 4th largest MSA.
It’s not useful if you generally fly most places you travel to. An of course if you’re going months-years without using a car then renting becomes relatively more convenient.
Not possible when things are 10+ mile apart and a general grocery run takes 3+ hours and you can't carry more than a backpack, so you have to do it multiple times a week.
The US is ripe for an e-bike revolution. The distances, the wide roads with plenty of room for bike lanes, and the revulsion against things like Flock...
Unfortunately it's as likely as this being the year of the Linux desktop because Windows 11.
The Chat Control problem isn't nearly as final as some news sources try to brand it. They were running up against deadlines and submitted their work knowing statistically their proposal would get shot down based on existing voting rounds.
I, too, would rather see this bullshit die in committee before reaching the next stage, but this bullshit can still be stopped.
In the EU, eCall is mandatory and disabling it fails most roadworthiness checks and voids most insurance policies, so it doesn't help much.
Also, while the EU does (for now) have stronger privacy protections for citizens against corporate interests, the opposite is true in most EU countries for Government surveillance.
While eCall has some weak privacy protections (it's open to all the standard cellular network surveillance lawful in each country), it also means you cannot disable the vehicle's modem in most (maybe all) EU countries with failing roadworthiness checks and insurance policies.
eCall mustn't be active until an accident occurs. The lawful interception lobby tried hard to turn every car into a free data point they could sell to the government, but their efforts have failed.
Last I heard they've shifted their efforts to making remote activation of on-board cameras part of the 5/6G smart car bullshit (which will of course be part of road safety requirments not long after).
Annex VII only rules out connecting to the PSAP/112 side, not routine network attaches. To detect faults in the “means of communication”, the IVS has to verify that the SIM, baseband and RF path are actually usable, and you can’t test that without a network attach.
In practice that’s what all current eCall implementations do. The modem attaches to the cellular network at each ignition so it can confirm it’s capable of placing an eCall. If you block the modem or antenna, the IVS fails its self-test and the vehicle is no longer roadworthy.
Does that mean the modem used for eCall is the same that is used to transmit telemetry? Because that's a level of shitty I hadn't even considered. That said, it would go against the spirit of the law as I read it.
There are always workarounds, of course, but that does pose an annoying problem to patch.
Yes, unfortunately in all modern calls there's a single Telematics Control Unit with a modem, GPS/GNSS, eCall (where required) and whatever OEM telemetry stack.
Like you say, there are always workarounds, but none that the home-gamer can safely or legally modify without taking eCall out of compliance.
There are standalone eCall units for retrofitting, e.g. [1] and likely soon more since 2G/3G gets phased out. Presumably you could disable the manufacturer’s built-in system and use standalone system instead?
Cars, your TV, your phone, everything is fucking spying on you. At this moment I am more interested in how I generate a tsunami of more data about me to the powers that be to drown them in a deluge of irrelevant bits.
Yes, and that's very sad. However the solutions are pretty obvious:
Car -> unplug the cellular modem (more or less easy)
TV -> used as dumb monitor with a Linux HTPC
Phone -> GrapheneOS
PC -> Linux
Social media -> /dev/null
Email/DNS/cloud -> my own
The real issue is that most people are not aware of these issues and may even (unintentionally) compromise your own privacy by posting information or pictures of you to Facebook or other similar places.
HN is not a social media platform in the traditional sense. For one, it is completely anonymous, unless your "handle" is somehow linked to a real identity (by choice or otherwise). It's very, very different from posting every aspect of your life on a platform like Facebook.
I'm surprised how many people think that keeping a low profile will matter in a society that attacks people for things you could discover from vehicle position data. In that society, you'll get attacked if someone wants to do it and they'll manufacture the pretext.
I think the attack vector most are considering are going to be government-sourced mass-targeting of individuals based on data triggers rather than any particular interest in the individual. The current example being many of the 12,000 annual arrests in the UK for online speech, many based on private messages. For many of those cases, these were private individuals in whom the government had no prior interest.
It's not difficult to imagine something like pandemic restrictions, where a digitally-enabled government could fine/arrest people based on location data, either because they travelled outside an allowed area or into a restricted one. Or they have data showing they were in close-proximity with too many people etc etc.
Those e-scooters are a red herring. Ring cameras on everyone's front door and automated license plate readers (ALPR) on police vehicles and Flock cameras throughout cities are bigger concerns in America.
Flock is already known to assist the government surveilling protestors:
The even worse part of Flock isn't that they cooperate with the government, it's that there is(or was) basically no security in the service. Cops from one state can/could use flock services from other states. A few cops got caught stalking via Flock.
Flock takes the "do nothing until forced to" mentality.
It's where we are. Everything everywhere is collecting data and spying.
If it exists in a database, then the government has access to that database if it ever wants to legally or otherwise. It's been like that since 9:11 and probably before.
All we need now is for the right person to walk in and turn the key. We're lucky that Donald Trump is probably too stupid to understand what he's got under his thumb.
How do you write an article about this and not mention the GDPR or EU privacy laws?
>"It’s hard to figure out exactly how much data a modern car is collecting on you"
You are a globally operating news agency. You can absolutely get some GDPR requests in and look at it. What kind of reporting is this? "We don"t know, but we also have not tried the one way which forces companies to answer this question".
BMW is a German company, just ask them for the information they have on you and they are forced to give it to you.
Mozilla's concentrated efforts took a while, they're right that it's hard to figure out exactly what car manufacturers are doing. Unless you're willing to sue a bunch of them, plain GDPR requests won't be enough to get this information. Companies will happily lie or declare information collected as "non-personal" or "trade secrets" and if they're smart enough about the way they process their data they can probably convince a judge that the end result isn't personal enough that exposing their trade secrets weighs up against the GDPR.
There's no way even a large news corporation is going to buy every model car from every brand that comes out in a year to get the legal rights to demand data, let alone pursue these data requests in court. Renting cars may be easier, but then your contract is with the rental company and they're responsible for getting you the information you require, and after the first three PII requests you're not going to be renting from them any time soon.
I'm not saying they couldn't do a deeper dive with more detailed research, but it's not an easy task to evaluate an industry like this. All they'll be able to produce is general statements about a limited set of car models that'll quickly be outdated once the next software update comes out.
Not always possible, depending on model, skill level, and/or availability of a mechanic that's willing to try. My own search for a mechanic to mod any of the cars I was looking at buying was fruitless and left me with the decision to hold onto my gas guzzler for a while longer.
The problem is a lot of the features of these cars require you to opt into giving your privacy away. And when you’re shopping it’s not clear where that line is.
nothing. And banning ALPR wont fix anything either. All cars have 4 unique serial numbers broadcast via radio at all times via the TPMS system. you don't even need a camera, just a radio receiver.
Checked how to receive those with SDR. Turns out they are very low power and you need to basically touch the tire. Also the transmit in minute intervals. Bit exactly a a smoking gun in terms of mass surveillance.
Depends on the TPMS implementation to be honest. Most of the UHF ones are impossible to receive unless you're using some optimally placed/pretty powerful equipment. Even then, the protocol is entirely up to the vendor, as long as the system is reliable.
My car is old enough that it doesn't have TPMS sensors but I have looked into third party ones. It looks like there's all kinds of systems, from custom UHF to Bluetooth LE. No idea what your car uses.
Ideally the implementation would be immaterial to a ban. The ban (or more likely first, warrant requirement similar to cell data) would be on the tracking database, not the details of how the tracking was accomplished.
No, I have a tyre pressure gauge. Every so often I check the tyre pressures and maybe stick a bit more in if it needs it.
Some VWs used to use wheel speed, though, which was fun because they added tyre pressure checking with a software upgrade. Not terribly accurate, but enough to tell you if one was low.
A 2013 Chevy Volt has a camera on the dashboard pointed at the driver. The entertainment dashboard has a dozen communication options, including those for safety? Zealots and the unhinged will quickly comment no doubt, but for the rational citizens I ask, when was this normalized? Was it automakers emboldened by the acceptance of cell phone central record keeping?
"Safety" is a magic word like "god" was a thousand years ago. If you say it just right you can manufacture an excuse to do all sorts of stuff that'll clearly lead to bad stuff if left to run.
They undoubtably said things like "if it saves even one person from falling asleep at the wheel it's worth it" or something along those lines.
this is still a technology advancement... what if smartphone usage or asleep safely stops the car? what if this run locally? or what if it's linked to public entities that will add penalty points to your license?
as a cyclist and public transport user with no driver license, i hope personal vehicles have so much sensors that they can detect if you are drunk or stressed and limit your reaches. fuck your metallic beetle
>as a cyclist and public transport user with no driver license, i hope personal vehicles have so much sensors that they can detect if you are drunk or stressed and limit your reaches. fuck your metallic beetle
What a great illustration of the sort of selfish opinions that people like to peddle under the guise of perceived common good.
Are you willing to have your bike brakes linked up with GPS and red light signals? It's in the name of safety and progress after all.
in a city that doesn't produce even 1/25 of microplastic thousand kilos vehicles produce? because that also has an impact on marine ecosystems, by the way, cars are linked as one of the highest if not the, pollutants of microplastic. in a city that doesn't have air pollution linked towards a bunch of disease? in a city that doesn't have noise pollution that also has a bazinga of negative impact?
are you really naive to believe cyclists wouldn't respect traffic lights on a city designed after walk and public transportation? or are you thinking on the minimal cyclists that get killed by tresspasing this rule by vehicles that get a mild scratch? or the light or mild injuries bicycles at 15-25 km/h are gonna cause between each other?
edit: i would even go further and hope personal vehicles production is ceased and their circulation becomes a crime for citizens on non-legal or non essential services duties. i would live perfectly fine in a city without those but who controls the speed of my bicycle on cycle paths or that lock my brakes if i try to cycle high
You didn't answer his question: Would you be willing to have your bicycle brakes linked up with GPS and red light signals? Or loaded down with sensors monitoring and correcting your bicycling activity for your own safety?
> are you really naive to believe cyclists wouldn't respect traffic lights on a city designed after walk and public transportation? or are you thinking on the minimal cyclists that get killed by tresspasing this rule by vehicles that get a mild scratch? or the light or mild injuries bicycles at 15-25 km/h are gonna cause between each other?
An excellent demonstration of "cyclebrain syndrome", the urban twin to suburbia's "carbrain syndrome".
> are you really naive to believe cyclists wouldn't respect traffic lights on a city designed after walk and public transportation?
Translation: I am aware of cyclists' ubiquitous poor behavior on the roads but will reach for any justification to shift responsibility to someone else. "Drivers wouldn't be running red lights if you just added a couple more lanes, bro."
> or are you thinking on the minimal cyclists that get killed by tresspasing this rule by vehicles that get a mild scratch?
Translation: And when cyclists' poor behavior causes a fatal collision with a car, nobody cares about the damaged property. Or the mental anguish, or the collisions caused by narrowly avoiding killing an errant cyclist (who survives, oblivious, thanks to the driver's quick action choosing a more costly crash over a "mild scratch" that kills the cyclist).
> or the light or mild injuries bicycles at 15-25 km/h are gonna cause between each other?
Translation: I don't give a shit about killing/injuring pedestrians any more than car drivers do. I only care about collisions with things that are about the size of my vehicle or bigger. And if those other things are bigger than my vehicle--I want them banned! That way I reduce the risk to me, which is what I really care about, and who cares what happens to anything smaller than me?
My house is fairly close((125') to a rural "highway", and only internet here is mobile data that my phone shares with other devices and mornings(anytime) my older desktop with 2.5 ghz wifi gets bumped off with the passing of every car that has glaring supper white headlights,but, not the ones running yellow incandecents, whatever rf signal is comming of these things must be barely, or completly illegal, and could obviously be tracked in any number of ways, so not so much bieng spied on, as just flat out trasmitting everything you do in ridiculously fine grained detail.
> The first thing drivers should do is be aware of what data their car is collecting
> You can opt out
lol
this makes it seem so simple.
I think
- you will never be aware of what data is collected - they want to collect more data and never disclose it
- you will never be able to opt-out. Even if you disconnect from cellular, at service time they will just download what is there.
- car manufacturers will use any and all data to their benefit
You know, here's an interesting story I remember reading:
I will give you a story - buddy owns a shop - buys new M5 - he went out joyriding - warped a rotor - he said it was not from him so he tried a warranty service - BMW printed a page that his car recorded. It had snapped a pic of his face and sent all the data on speed, location, etc every bit of data you can think of to the dealer and his insurance company. He sold the car. That was years ago. Ask any custom tuner today if they can touch a 22 BMW. Nope. It will disable the car if you try and get into the CPU to tune it. This is where the industry is heading
Similar story with a user's earlier Model S - they used to drive it like they were being chased by the cops, and so when it was time to swap the degraded battery under warranty, (as they said) "a nerd" came out of the back of the service center "with a bunch of paperwork from the database" and Tesla denied the claim.
We need to resist this stuff or else there will be Flock, stalker cars, and some other new nightmare they excuse by saying “well we’re already watching…”. Can’t let ourselves accept this is normal!
I worked on the data platform at a smaller car co, and there were tight controls around getting access to precise geo data, and there were strong privacy advocates at higher levels. Wasn’t a perfect system, but “spying” would be far from what I saw
The car data collection story is concerning, but it's part of a broader pattern: credentials and personal data are scattered across dozens of services we interact with daily.
The automotive example shows how even "non-tech" products now collect and transmit data. Each service creates another attack surface, another set of credentials to manage, another potential breach vector.
What's frustrating is that breach response still falls on individuals. When one of these services gets compromised, it's users who have to scramble to change passwords across potentially hundreds of connected accounts. The "change your password" advice is good but wildly impractical at scale.
My 2025 Mazda Miata has a CAN connected Telematics Control Unit that sends a bunch of data to Mazda on ignition off. Among this data is acceleration and velocity data along with coordinates sampled for where you were. It is also used as a gateway for the Mazda app to start your car, query your vehicle's tire pressure, etc. It is claimed that you can opt out of this by calling Mazda and being persistent.
The CAN traffic is unencrypted. It was pretty easy to MITM this module with a cheap arm Linux board and a can transceiver to enable writing a two way filter capable of blocking the traffic that didn't raise any DTCs (that I observed) and could be turned on/off by the user. I preferred this approach to complete disconnection of the module (which is noticeable via errors at the diagnostic port) or trying to faraday cage or disable the antennae on the TCU so it can't remotely send/receive. I can also turn off my module or completely remove it before I sell it.
I fear the next version of Miata will be an encrypted CAN like most other cars have moved to and even with my expertise I won't be able to access the latest safety features from new cars without surrendering what little privacy I've been able to claw back.
I opted to try the "beg the manufacturer to turn off the panopticon" approach[1]. The first time I got 2 hours of elevator music before hanging up, the second I went through 3 levels of customer support before they claimed it was done (3 days later). Might have to steal your approach to verify that though...
[1] https://www.mazdausa.com/site/privacy-connectedservices
Have you posted any writeups or other information about how you built this? I'm eyeing a Mazda as a next car (I've never owned a car newer than a 2014, and outside of that one, any newer than 2006, but family safety needs may lead to getting a newer car soon), and telemetry seems like one of the few downsides to an otherwise good carmaker. Would be very interested to learn more!
> (I've never owned a car newer than a 2014, and outside of that one, any newer than 2006, but family safety needs may lead to getting a newer car soon)
I don't know much about automotive safety, but has much actually changed since 2014 in terms of safety standards? I had thought that by the 2010s, basically everyone big had already figured out how to build a relatively safe car from a structural standpoint. Or are you only talking about electronic assistive features, like proximity sensors or lane assist?
> The CAN traffic is unencrypted. It was pretty easy to MITM this module with a cheap arm Linux board
And you didn't poison their databases and statistics with fake data?? OMG, I'm thinking of buying one of these cars just for this opportunity! (No, I'm not.)
I suspect this data is made "anonymous" and sold to insurance companies and misc data brokers. If it's linked to my insurance company, I don't want to jack my rates. Further, I've thus far avoided a CFAA conviction and I'd like to keep it that way.
As anonymous as there are Miatas in your neighborhood parking in your driveway.
Then do the opposite. Poisoned data that can improve your insurance rates
they use the data mostly to charge you more, you can't really get the price all that lower
I've had a clean driving record for 30 years and I'm still paying the junk rates most other people get
So, it's like credit scores, basically? Advertise a happy, meritocratic future for consumers, where the "better"/more responsible ones will reap massive rewards at the expense of the "worse" consumers, and then keep adjusting the brackets until the system is only used punitively - you don't really get anything from a high score nowadays, your only goal is clearing a certain low bar to avoid negative consequences.
Yeah exactly... it's stick or no stick, the carrot is the razor thin margin only used to keep you away from the competitors.
At this point car insurance has gotten so bad that it's becoming normal that you can save hundreds of dollars by switching providers every 6 months. These companies are probably making millions on people who are just too exhausted to switch constantly.
It would be an extremely totalitarian dynamic to be persecuted with the CFAA for modifying a device you own based on part of it having been (nonconsensually!) programmed by a third party to upload data to their own server. You own the device, so anything you do within that device is authorized. And the code that uploads the data is authorized to do so because it was put there by the same company that owns [controls] the servers themselves.
I do know that the CFAA essentially gets interpreted to mean whatever the corpos want it to mean - it's basically an anti-witch law - so it's best to steer clear. And this goes double with with the current overtly pay-to-play regime. But just saying.
(Awesome description btw! I really wish I'd find a buying guide for many makes/models of cars that detail how well they can be unshackled from digital authoritarianism. A Miata is not the type of vehicle I am in the market for (which is unfortunate, for several reasons))
If you can be prosecuted for guessing urls you can be prosecuted for sending garbage data in a way you know will be uploaded to a remote system.
The DoJ lost the case they went after for someone guessing URLs.
They lost it because they charged in the wrong jurisdiction.
Also come on, you can't reasonable describe that case as being about "guessing urls". It's the associated chat logs that really make the case.
link me
You think criminalizing guessing URLs is unreasonable.
What about guessing passwords? Should someone be prosecuted for just trying to bruteforce them until one works?
Guessing passwords is an attempt to access privileged information you have no right to access, and could not otherwise access without bypassing security measures.
Guessing a URL is an attempt to access (potentially) privileged information which was not secured or authenticated to begin with.
A password is a lock you have to break. An unlisted URL is a sticky note that says "private" on the front of a 40" screen. It's literally impossible for that information to stay private. Someone will see it eventually.
Guessing URLs is equivalent to ordering an item not on the menu in a restaurant. The request may or may not be granted.
This same logic is easily extended to SQL injection, or just about any other software vulnerability.
How do you propose the line should be drawn?
The question can be easily inverted for the other side: if any user accidentally damages a service's functionality in any way, can they always be criminally liable? Can this be used by companies with no security or thought put into them whatsoever, where they just sue anyone who sees their unsecured data? Where should the line be drawn?
To me, this is subjective, but the URL situation has a different feel than something like SQL injection. URLs are just references to certain resources - if it's left unsecured, the default assumption should be that any URL is public, can be seen by anyone, and can be manipulated in any ways. The exception is websites that put keys and passwords into their URL parameters, but if we're talking solely about the address part, it seems "public" to me. On the other hand, something like wedging your way into an SQL database looks like an intrusion on something private, that wasn't meant to be seen. It's like picking up a $100 bill of the street vs. picking even the flimsiest, most symbolic of locks to get to a $100 bill you can see in a box.
>The question can be easily inverted for the other side: if any user accidentally damages a service's functionality in any way, can they always be criminally liable? Can this be used by companies with no security or thought put into them whatsoever, where they just sue anyone who sees their unsecured data? Where should the line be drawn?
I don't think the question can be inverted like that, not meaningfully anyway. The CFAA specifically requires one to act knowingly. Accidentally navigating to a page you're not supposed to access isn't criminal.
>To me, this is subjective, but the URL situation has a different feel than something like SQL injection.
I don't think the url below is necessarily that different.
> GET wordpress/wp-content/plugins/demo_vul/endpoint.php?user=-1+union+select+1,2,3,4,5,6,7,8,9,(SELECT+user_pass+FROM+wp_users+WHERE+ID=1)
> if it's left unsecured, the default assumption should be that any URL is public, can be seen by anyone, and can be manipulated in any ways
It can be, but not lawfully so. It's not possible to accidentally commit a crime here, for example in the IRC logs related to the ATT case the "hackers" clearly understood that what they were doing wasn't something that AT&T would be happy with and that they would likely end up in court. They explicitly knew that what they were doing was exceeding authorized access.
> On the other hand, something like wedging your way into an SQL database looks like an intrusion on something private, that wasn't meant to be seen
I think you've reached the essence of it. Now, let's say you just accidentally find an open folder on a bank's website exposing deeply personal KYC information of their customers. Or even better, medical records in the case of a clinic.
Lets say those files are discoverable by guessing some URL in your browser, but not accessible to normal users just clicking around the website. If you start scraping the files, I think it's pretty obvious that you're intruding on something private that wasn't meant to be seen. Any reasonable person would realize that, right?
> GET wordpress/wp-content/plugins/demo_vul/endpoint.php?user=-1+union+select+1,2,3,4,5,6,7,8,9,(SELECT+user_pass+FROM+wp_users+WHERE+ID=1)
This is why I tried to make the clarification that I was referring to the address part of the URLs only, not the parametrized part. In my mind, something like /users?key=00726fca8123a710d78bb7781a11927e is quite different from /logins-and-passwords.txt. Although, parameters can also be baked into the URL body, so there's some vagueness to this.
> I think you've reached the essence of it. Now, let's say you just accidentally find an open folder on a bank's website exposing deeply personal KYC information of their customers. Or even better, medical records in the case of a clinic.
I guess if I try to distill my thoughts down, what I really mean is that there should be a minimum standard of care for private data. At some point, if being able to read restricted data is so frictionless, the fault should lie with the entity that has no regard for its information, rather than the person who found out about it. If a hospital leaves a box full of sensitive patient data in the director's office, and getting to it requires even the minimal amount of trespassing, the fault is on whoever did so. But if they leave that box tucked away in the corner of a parking lot, can you really fault some curious passer-by that looked around the corner, saw it and picked it up? Of course, there's a lot of fuzziness between the two, but in my mind, stumbling into private data by finding an undocumented address doesn't clear the same bar as bruteforcing or using a security vulnerability to gain access to something that's normally inaccessible.
>How do you propose the line should be drawn?
there is a line drawn for such things. a fuzzy line. see:
https://en.wikipedia.org/wiki/I_know_it_when_I_see_it
same as this famous case, in which a supreme court justice is asked "what is and is not pronographie" - of course he realizes if he defines "what is not" people are going to make all kinds of porn right on the boundary (see: japanese pronographies where they do the filthiest imaginable things yet censor the sensitive books, making it SFW in the eyes of their law). this judge avoided that.
Anyways, parallel to the fact that filthy pronographies can be made a gorillion different ways, a "hack" may be manifested also a gorillion different ways. Itemizing such ways would be pointless. And also in the same vein, strictly defining a black and white line "this is legal, this is not" would cause hackers to freely exploit and cheese the legal aspect as hard as possible.. businesses and data miners and all these people would also freely exploit it, at massive scale and with massive funding, since it is officially legal. Thusly it must be kept an ambiguous definition as with pronographies, as with many things
Do you think the current line, where it's based on you "knowingly" exceeding your access or deliberately damaging the operation of a computer system, is excessively vague?
Probably somewhere short of incarcerating someone for what they typed in a browser's URL bar.
So if I deliberately exploit a bug on your website and download your customer database by typing things in my browsers URL bar, I should not be prosecuted?
No, and I would support a law explicitly making it illegal for prosecutor to prosecute you for this.
I'd be totally down for that, but I reckon it would be kind of shitty for the vast majority of the people who are not CTF enthusiasts.
Cyber attacks are consentual, digital engineering is the only discipline where we have complete mastery of the media. If you make a system (or authorize it) what someone does with it is your fault.
Closer to trying the handle on random car doors.
It depends on stuff.
Sometimes a URL can have a password in it.
But when it's just a sequential-ish ID number, you have to accept that people will change the ID number. If you want security, do something else. No prosecuting.
How do I know which URLs of a website are legal to visit and which are illegal?
I can't say I've ever struggled to make this determination, but I don't make a habit of trying random ports, endpoints, car doors, or brute-force guessing URLs.
But it was very tempting when i saw that my national exam results were sent to us in a mail as nationalexam.com/results/2024/my-roll-number. Why would i not try different values in the last part.
Try it once to see if it works, you'll probably be fine.
Find out that it works, and then proceed to look up various other people? Whether you're fine depends entirely on whether or not you genuinely believe that you're supposed to be accessing that stuff.
I think criminalising both is unreasonable, what you do with the URL you accessed or the password you guessed however is different.
Passwords are different from URLs because URLs are basically public, whereas passwords aren't supposed to be. Furthermore, this is not 1995. Everyone who is in the industry providing IT services is supposed to know that basic security measures are necessary. The physical analogy would be, walking through an unlocked and unmarked door that faces the street in a busy city, versus picking a lock on that door and then walking through it.
> Everyone who is in the industry providing IT services is supposed to know that basic security measures are necessary.
And everyone who doesn't have wool for brains knows to not carry large rolls of cash around in a bad part of town, but we can still hold the mugger at fault.
Nevertheless, URLs are as public as door knobs. If someone is merely observing that a door is unlocked and they have not stolen anything, they have done nothing wrong. People being prosecuted over discovery and disclosure of horrible design flaws based on URLs should never be prosecuted. If they use the information to actually cause damage, we can be in agreement that they are responsible for the damage.
>People being prosecuted over discovery and disclosure of horrible design flaws based on URLs should never be prosecuted. If they use the information to actually cause damage, we can be in agreement that they are responsible for the damage.
That's literally the current state of things.
Are you sure? I seem to remember people getting burned for publicly disclosing security vulnerabilities after stubborn agencies refused to fix them for years. Stuff like, exposing thousands of SSNs through a public gateway... We are literally having this discussion on URLs because of famous cases where people DID face unfair treatment. I don't recall any actual fix for this legal chicanery either. If you do, I would be very interested.
As a strictly logical assertion, I do not agree. Guessing URLs is crafting new types of interactions with a server. The built in surveillance uploader is still only accessing the server in the way it has already been explicitly authorized. Trying to tie some nebulous TOS to a situation that the manufacturer has deliberately created reeks of the same type of website-TOS shenanigans courts have (actually!) struck down.
As a pragmatic matter, I do completely understand where you're coming from (my second paragraph). In a sense, if one can get to the point of being convicted they have been kind of fortunate - it means they didn't kill themselves under the crushing pressure of a team of federal persecutors whose day job is making your life miserable.
>(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
If your goal is to deliberately "poison" their data as suggested before, it's kind of obvious that you are knowingly causing the transmission of information in an effort to intentionally cause damage to a protected computer without authorization to cause such damage.
>Trying to tie some nebulous TOS to a situation that the manufacturer has deliberately created reeks of the same type of website-TOS shenanigans courts have (actually!) struck down.
This has very little to do with the TOS though, unless the TOS specifically states that you are in fact allowed to deliberately damage their systems.
And no, causing damage to a computer does not refer to hackers turning computers into bombs. But rather specifically situations like this.
Any reasonable programmer (a peer) would say an unencrypted system that doesnt validate data is an unprotected system.
It's a legal term, has nothing to do with technical protections.
Practically any device connected to the internet is a "protected computer". The only case I can think of where the defendant prevailed on their argument that the computer in question was not a "protected computer" was US v Kane. In that case the court held that an offline Las Vegas video poker machine was not sufficiently connected to interstate commerce to qualify as a "protected computer".
A computer being supplied with false data which it then stores is not damaging the computer - hence there being a provision about fraud. But for this case it's not fraud either, as the person supplying the data is not obtaining anything of value from the false data.
>the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information;
Deliberately inserting bad data to mess with their analytics does in fact fit that definition.
You are construing "integrity" to mean lining up with their overarching desires for the whole setup of interconnected systems regardless of who owns each one. By that measure, stopping the collection of data is impairing its availability on their system.
I would read that definition as applying only to their computer system - the one you aren't authorized to access. This means the integrity of data on their system has not been affected, even if the source of that data isn't what they'd hoped.
As I said, the law contemplates a different call out for fraud. This would not be needed if data integrity was meant to be construed the way you're claiming.
(For reference I do realize the law is quite unjust and I'll say we'd be better off if the entire law were straight up scrapped along with the DMCA anti-circumvention provisions)
Why do you think the CFAA is unjust?
What specific activities does it unjustly criminalize?
I had assumed you were coming from a similar position, and your argument was more of a reductio-ad-absurdum.
But if you're not - the fact it's putting a chilling effect on this activity right here is a problem.
Another big problem is the complete inequity. It takes the digital equivalent of hopping over a fence and turns it into a serious federal felony with persecutors looking to make an example of the witch who can do scary things (from the perspective of suits).
Another glaring problem is that if the types of boundaries it creates are noble, then why does it leave individuals powerless to enforce such boundaries against corpos, being easily destroyed by clickwrap licenses and unequal enforcement? Any surveillance bugs/backdoors on a car I own are fundamentally unauthorized access, and yet I/we are powerless to use this law to press the issue.
>I had assumed you were coming from a similar position, and your argument was more of a reductio-ad-absurdum.
>But if you're not - the fact it's putting a chilling effect on this activity right here is a problem.
I've personally had my own CFAA-related criminal troubles in the distant past, but I still have a hard time seeing the big problems with CFAA so often touted on HN.
The activity of childish vandalism by flooding Mazda servers with garbage data? There's no chilling effect on simply not sending any data to Mazda.
The activity which was proposed earlier was explicitly malicious in intent, why shouldn't there be a chilling effect put on it? Do you not think the government should generally protect you from people taking explicitly malicious actions aimed at causing you harm?
In this context it is the motivation that makes the crime. You could absolutely modify your car in a way where the data sent to mazda is replaced with zeroes or random data, but you would need to do so in good faith.
Of course, when the activity is explicitly malicious as stated above ("poison their databases and statistics with fake data") it's not surprising that you'd be in violation of the law.
>Another big problem is the complete inequity. It takes the digital equivalent of hopping over a fence and turns it into a serious federal felony with persecutors looking to make an example of the witch who can do scary things (from the perspective of suits).
I just don't think this is actually happening. The cases often spoken of here are Auernheimer and Swartz.
I have a hard time believing that anyone can read the court files in the Auernheimer case and argue in good faith that such behavior should be legal. Among other things, the court papers contain a chat log of the co-conspirators discussing how to they should use the data they've scraped from buggy AT&T site to spam AT&T customers with malware. In the end that was too complicated, so they arrived at trying to leak the data in most damaging way possible to hurt AT&T share prices.
Swartz performed an admirable act of civil disobedience and faced up to 6 months in prison for that (realistically, he'd most likely never have spent a day in prison). I think what Swartz did is admirable, but that doesn't mean what he didn't shouldn't have been illegal. Just as what Snowden did was admirable, but legalizing such activities would have catastrophic consequences.
>Another glaring problem is that if the types of boundaries it creates are noble, then why does it leave individuals powerless to enforce such boundaries against corpos, being easily destroyed by clickwrap licenses and unequal enforcement?
I feel like this is conflating the problems that CFAA seeks to address with a completely different set of problems.
Corporations are bound by the CFAA just as much as you are, it's just that companies are rarely in the business of doing this sort of crime. Just as companies are rarely in the business of selling heroin.
> Any surveillance bugs/backdoors on a car I own are fundamentally unauthorized access, and yet I/we are powerless to use this law to press the issue.
The fact that CFAA mostly does not address these particular issues is not a problem with the CFAA, people (or companies!) buying devices with software they don't like was never something CFAA was intended to address.
There are reasonable, effective legal solutions to surveillance like this, like the GDPR.
It might be interesting for an enterprising lawyer to try to flip this around. Suppose you send a letter to your car manufacturer saying that, as the owner of the car, you are prohibiting them from accessing the location of the car or performing unauthorized software updates and that any attempt to circumvent this will result in criminal prosecution for unauthorized access to your computer.
If you were to purposefully try to poison/damage their dataset and admitted as such you probably wouldn't win without spending an unreasonable amount of money on lawyer fees. Without admitting anything though and claiming ignorance it would probably be pretty easy to get dismissed, provided you are able to spend atleast some money on a lawyer.
Prosecuting someone for deliberately injecting garbage data into another persons system hardly seems totalitarian.
> You own the device, so anything you do within that device is authorized
You're very clearly describing a situation where at least some of the things you're doing aren't happening on your own device.
>I do know that the CFAA essentially gets interpreted to mean whatever the corpos want it to mean - it's basically an anti-witch law
FWIW this is simply not true. The essence of the CFAA is "do not deliberately do anything bad to computers that belong to other people".
The supreme court even recently tightened the definition of "unauthorized access" to ensure that you can't play silly games with terms of service and the CFAA. https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf
My device. I generate whatever the fuck the data I want. If you log it, kiss my ass.
Sure, I have the same attitude when it comes to the government telling me that I'm not allowed to use drugs. Doesn't mean I'm in the clear from a legal point of view.
However, it's worth clarifying that the important detail isn't generating the data, but sending it. Particularly the clearly stated malicious intent of "poisoning" their data.
This seems like exactly what the lawmakers writing CFAA sought to criminalize, and is frankly much better justified than perhaps the bulk of things they tend to come up with.
>(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
Doesn't seem exactly unfair to me, even if facing federal charges over silly vandalism is perhaps a bit much. Of course, you'd realistically be facing a fine.
Could you argue the computer was unprotected? No encryption is wild.
No, "protected computer" refers to computers protected by the CFAA.
>(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
>(B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.
If you paid for a device it doesn't mean you have no rules set up on how you can operate it. I'm sure the is an EULA you agreed to.
As anecdote, while buying a new car I signed a statement that I'm not going to resell it to russia.
And you think it is all fine and dandy?
No it does in fact seem totalitarian. I support repealing the CFAA.
I would absolutely love to hear the arguments behind this.
Oh man. Logging insane average speeds and ludicrous acceleration during rush hour. Deliciously tempting idea.
A data scientist will simply filter out impossible data when conducting an analysis
That’s why you make this as popular as possible
that only works if the values are plausible
you give a lot of credit to an industry poisoned by the profit motive
Just make sure you are criticizing the industry on things that are real. Accurate data collection (put not necessarily publication to a broad audience) is something industry does. Decision makers want to understand reality, they don't necessarily want you to though.
Draw the old twig and berries in gps coordinates in hundreds of random cities, with velocity between points carefully kept to regular traffic speeds every single day until they shut the modem off.
I see absolutely no reason not to completely unplug the cellular modem. The only thing that would stop me is an annoying error message or warning light in the gauge cluster. My car does not display any of these, but unplugging the modem results in losing the right speaker and microphone, unless a bypass harness is used.
The modem is usually in the sharkfin with the XM radio chipset and GPS. If you can unplug it at the sharkfin that's usually the best course of action. Some cars may bark at you, but mine just says it can't detect GPS if I attempt to use it (which I never use anyway).
Wouldn't it be better to connect resistive pigtails to the antenna connectors on the board? A little more work to get to, but less risk to damaging paint and weather seals, and would do a better job preventing signal leakage. I'm no expert on such things, but will definitely be looking at something like that for the next car I buy.
Not sure what you mean, the antennas are on the sharkfin board and you get to it from under the headliner not from the top of the car. It's much easier just to disconnect the cable that goes to the sharkfin than actually removing the entire module in the sharkfin.
For anyone else confused, Diagnostic Trouble Codes (DTCs). Automotive context
Can't you just turn off "Connected Services" in the menu?
I have been canceling that stupid warning message it presents when leaving it off, every day for several years now.
I fear the next version of Miata will be an encrypted CAN like most other cars have moved to
As I understand it, they're required to do that now if they want to sell in the EU. They emphatically do not want anyone tinkering with their cars.
They don’t want people modifying ADAS systems mostly, and the main requirement is SecOC, which is cryptographic authentication but the message is still plaintext. Basically they don’t want third party modifications able to randomly send the “steer left” message to the steering rack, for example.
The ADAS systems mandated in Europe are insanely intrusive. I had a few rental cars in Europe this summer and wanted to send them off a cliff. (and I'm not an auto tech luddite, I've had modern cars in the US with autopilot type systems, lane keep, blind spot warning, rear traffic assist radar, forward collision warning, etc. IMO rear traffic assist/FCW/AEB tend to work really well, autopilot pretty well, and lane keep and blind spot silly gimmicks at best).
Bring on the full self-driving cars, or let me drive my own car. This human-in-the-loop middle state is maddening. We're either supervising our "self-driving, but not really" cars, where the car does all of the work but we still have to be 100% aware and ready to "take over" the instant anything gets hard (which we know from studies is something humans are TERRIBLE at)... Or, we're actively _driving_ the car, but you're not really. The steering feel is going in and out as the car subtly corrects for you, so you can't trust your own human senses. Typically 40% brake pedal pressure gets you 40% brake pressure, unless you lift off the throttle and hop to the brakes quickly, in which case it decides when you apply 40% pedal pressure you actually want 80% brake pressure. Again, you can't trust your human senses. The same input gets different outputs depending on the foggy decisions of some computer. Add to that the beeping and ping-ponging and flashing lights in the cluster.
It's like clippy all over again. They've decided that, if one warning is good and helpful, constant alerts are MORE good and MORE helpful. Not a thought has been given to alert fatigue or the consequences of this mixed human-in-the-loop mode.
So much this. We had a rental BYD in Greece this summer, and while it was actually great car in general the mandated “assistance” was awful.
It constantly got the speed limits wrong, constantly tried to tug me out of the correct lane, and was generally awful. It could be disabled but was re-enabled on each restart of the ignition because it’s mandated by EU regulation.
I appreciate a Greek island perimeter road may be a worst case scenario, but it did the same with roadworks on the freeway and many other situations.
Actively dangerous in my experience…
“Lane keep” yanks the wheel dangerously because it incorrectly detects the lane, or because you don’t indicate to pass a pothole on an empty road (which itself would be confusing to other road users)
Forward collision warning has misfired on 2 occasions on me in the last 3 years
The main issue is that so many cars have broken “auto dipping” headlights which don’t dip, or matrix headlights which don’t pick out other cars.
This automation shit should stop, but it won’t.
parking beepers are reasonable, they simply come on occasionally and don’t actually interfere when they go wrong. The rest of it just makes things far worse at scale.
> Forward collision warning has misfired on 2 occasions on me in the last 3 years
My Lexus is afraid of a bush behind my garage in the alley. It's on a neighbors property and not really overgrown, but my car refuses to get within about 5 ft of it. Makes backing out a nightmare. I haven't figured out a way to disable it, and have considered just selling this 2025 NX.
> I haven't figured out a way to disable it, and have considered just selling this 2025 NX.
I found this for the TX, might work for the NX as well?
Try disabling Parking Support Brake under vehicle settings > drive assist.
parking beepers -- that do not go off immediately when you start a parked car
Yes, and to do that, CAN must be encrypted. The idea isn't just to secure it from hackers. The idea is to secure it from owners.
> SecOC, which is cryptographic authentication but the message is still plaintext
Oh, OK, that's better. I can see what my car is doing, I just can't do anything about it.
I integrated SecOC on some ECU's at work. I hate myself for it. I frigging hate what they're doing with this. I think it's going to make cars less repairable, less modifiable. It's a horrible horrible stupid initiative in the name of "cybersecurity".
I understand notionally where they were going, but it all sort of went off the deep end somewhere along the line. A concern that someone buying some "mileage blocker" or whatever other shady device off of AliExpress might be vulnerable to the device steering their car into a wall is actually quite a valid one, but of course the solution is some overcomplicated AUTOSAR nightmare that doesn't solve for key provisioning in a way to make modules replaceable.
I have less trust in their good intentions. I think OEM's want to lock down their platforms in order to squeeze extra revenue streams. And I tend to be quite charitable with my interpretations.
As an aside, I checked out your GitHub. Cool projects, the vag flashing tool looks super useful, might actually give it a spin in sive development projects.
Remove the antennas. Do not give in to the mirage of convenience.
Use a stand alone generic GPS. Vehicle GPS devices are anti privacy for so many reasons.
Listen to stored music from an SD card if terrestrial radio (NO SATELLITE). Did you know almost ALL late model cars can play a <128gb FAT32 USB drive with non- vbr mp3s? 64gb filled with 168kb mp3 audio would take roughly 3 years at 4 hours a day to listen to.
TURN YOUR PHONE OFF. Your phone does more than track you - the Bluetooth and wifi beacon scanners are always running. When you come across another person, most phones track the intersection of your beacon with theirs making a new data point that compromises both individuals privacy. Now consider sitting at a stoplight; you and and the 10 phones around you have now correlated the time and position you were sitting there. The person jogging by with no phone(but a set of Bluetooth headphones) is also tracked by their Bluetooth signature. Terrifying.
Disable autonomous driving hardware by unplugging the cables from the interior cameras. If your car needs to see and feel you in order to do it's job, it's co-dependent; break up with it.
Ignore your car's complaints and error messages. Did you know Orange dash error lights are non critical?
> Did you know Orange dash error lights are non critical?
Your car will happily display an orange light while a bad fuel mixture is poisoning your catalytic converter to the point where it needs replacing to meet any kind of emissions test. Same with other signs of engine stress.
Don't ignore dash lights unless you know what they mean or you're willing to pay the cost of disposing of your car.
Of course many places won't even allow you to disconnect all the antennae as a non-functional TPMS makes your car unroadworthy in various jurisdictions. You could quickly reconnect everything and clear the error codes before testing, but I'm not sure if the hassle is even worth the illusion that of being untraceable.
>TURN YOUR PHONE OFF. Your phone does more than track you - the Bluetooth and wifi beacon scanners are always running. When you come across another person, most phones track the intersection of your beacon with theirs making a new data point that compromises both individuals privacy. Now consider sitting at a stoplight; you and and the 10 phones around you have now correlated the time and position you were sitting there. The person jogging by with no phone(but a set of Bluetooth headphones) is also tracked by their Bluetooth signature. Terrifying.
All phones nowadays have bluetooth/wifi mac address randomization, so it's basically useless for tracking, not to mention google/apple conscripting every phone into a wardriving network will kill battery life. Moreover all this effort in avoiding being tracked doesn't really mean much when all cars have a very visible and unique identifier that's mandated by law (ie. license plate).
And Flock Safety will gladly fingerprint the vehicles without said license plate, and distribute everyone’s location histories nationally.
See also (222 points, 19 comments, 14 days ago):
https://news.ycombinator.com/item?id=45945960
> Moreover all this effort in avoiding being tracked doesn't really mean much when all cars have a very visible and unique identifier that's mandated by law (ie. license plate).
I agree with the first half, but not this. The difference between people seeing your license plate and your car/phone/etc systematically recording and storing your exact position is the same as the difference between someone on the street seeing my face vs. a facial recognition camera identifying me and storing that data point forever. People don't memorize or care about your plates. The police could take note of them or even put it on some record, but the number of cops is so low (and the number of cops that would care about my license plates is even lower) that whatever scraps of data are recorded would probably be pretty useless - and besides, that data isn't sold off to private entities, at least where I am.
> All phones nowadays have bluetooth/wifi mac address randomization
Source?
> Ignore your car's complaints and error messages. Did you know Orange dash error lights are non critical?
"Tire pressure low" is one you should probably check out on a regular basis.
But in exchange for being tracked we've been saved from the scourge of occasionally checking our tire pressure. Why, I'd give up almost anything just to be slightly more comfortable.
Yeah that's terrible advice. Learning to ignore safety warnings is an amazing way to wind up stranded or with a destroyed car because you decided to ignore a warning light
The first 100yr of automobiles didn't have TPMS and it was mostly fine.
I mean if you consider that death rate per mile driven 'mostly fine'
Check your tire pressures when you get gas, along with your oil and other fluid levels. Eyeball the tires every time you get in the car. These habits are not hard to develop and they will work even when the sensors malfunction (which is not infrequently).
All that these sensor-based systems do is train you to be an inattentive car owner.
All these low profile tires do make it a lot harder to eyeball your tires to an acceptable level and tell if they are low. But low profile tires are just in general kind of crappy already.
Many modern cars have no way to manually check oil or any fluid levels. Only way is to check the reading from the sensor via main screen.
Plenty of cars don't have a transmission dipstick. But do cars really not have oil dipsticks anymore? Other than EVs ;p
Sealed radiators? No way to look for winshield washer fluid? No translucent reservoir of brake fluid?
Right! There is only a cap to refill. Computer will tell you when you are low on windshield fluid. Or low on oil etc
Nonsense. Information is good.
I do have a walk around the car before I set forth, but stuff happens.
Some drives are very long -- hours and hours between stops. I've had tires that aired themselves down during a drive. TPMS can alert me to that issue before I get an opportunity to have another walk-around, so I can stop and address it before it becomes a safety concern.
It's fine if someone want to live in a world without monitoring systems; anyone is free to drive an old car with points ignition and a carb if they want (or mechanical diesel! with an air starter, even! no electricity needed at all!).
And sure, there's a certain joy to driving something of relative mechanical simplicity.
But I like modern cars. And I like things like temperature gauges, closed-loop electronic fuel injection, oil pressure indicators, ABS, traction control, backup cameras, and [I dare say] tire pressure monitoring. I like cruise control. I like headlights that turn themselves on when necessary, and off again when they're unnecessary.
And as one might correctly surmise: It doesn't have to be that way: There's other ways to live. A person can also choose to walk, ride a bike, use a horse, commit to a lifestyle that is centered around public transportation, or whatever. The world is full of options.
I've chosen my path, and you can also choose yours.
(And no, that doesn't make me inattentive. My path involves both a belt and suspenders.)
Information is good but the number of "slow leak on a long drive" failures made less inconvenient by TPMS almost certainly pales in comparison to the inconvenience of maintaining the system for the average consumer.
Acting like all this is a safety concern is just textbook internet comment section lying through ones teeth type behavior. Yes, anything can be a safety concern at the limit but even tire failures on the road to not typically elevate to that level. The following framing of "well just drive an old car if you don't like it" is more of the same sort of dishonesty with a veneer of plausible deniability on top. There's no reason these systems need to be built in a way that they can't be disabled and leak PII. There's no reason just about all the systems you're trying to frame as a "bundle" have to be bundled in the first place.
Low tire pressures are a safety problem. Low tire pressure increases the likelihood of catastrophic tire failure. People can (and do!) die from catastrophic tire failures (and from complications of them, like being run over while changing a tire on the side of the road).
I'm not acting. This is not a performative display.
But yes: While I'm happier in a world with TPMS, I'd be even happier yet in a world where it was a quick and simple job to disable it in a reversible way. (Perhaps in some manner similar to the incantations used to disable the passenger seatbelt chime in many cars.)
Nonsense. People are still driving cars without TPMS, they can feel the difference while driving and do tire pressure checkups regular intervals depending on run. No issue.
Of course. A skilled driver knows their car very well, and can note by feel that the car is pulling somewhat to one side and correctly identify that this is due to low tire pressure instead of an external effect like road condition or wind, and then decide whether to address it or keep going.
A skilled driver can notice all kinds of other stuff using their senses, too.
For instance: When there's a plume of coolant coming out of the hood in front of them, they can deduce from observation that the engine temperature may be very high. They can also identify low oil pressure by observing the clacks and bangs of an engine that is starved for oil and tearing itself apart, or even by the silence of an engine that has ceased.
Or: Information. A light can illuminate on the dashboard the before these conditions are pronounced enough to feel, and the driver may then elect to use this abundance of information to take action before it snowballs into something that may become expensive or dangerous.
Throughout my entire life, I don't know if I have ever seen anyone measuring their tire pressure or checking their oil at a gas station. Visually assessing tires can be quite misleading as well - my TPMS indicator was just on, visually it looked like one tire (its pressure was fine), and the tire that was 10psi low looked normal.
Falling back to an attitude of not needing automation and instrumentation is a cope, and often a poor cope at that. The problem isn't the dash warning lights of the past several decades, it's the built in corporate surveillance hardware of the past single decade (and the corresponding violation of user trust in favor of corporate control).
I don't see it often either, but my government has been very active trying to get people to do bi-monthly tire pressure checks at the very least.
I don't think most people know how to do it, to be honest. Partially because people seem to think reading two pages in a manual is some kind of sisyphean task that no mortal should ever be cursed with.
It's pretty crazy how little people care. Even if you don't care about the safety aspect, keeping your tires inflated well saves you a ton on fuel and tire replacements.
Tire pressure management was one of the striking differences between my experiences in France and in the US.
In France, we'd check tire pressure at gas stations on nice machines that had built in dial gauges and were free.
In the US, I had to use one of those hand gauges and the air pumps needed quarters (in most cases, especially if you weren't also buying gas).
In Portugal now, the gas stations also have free air and pretty good pumps.
> the air pumps needed quarters
I landed at JFK and was looking for a stroller to stack my suitcases on. The kind of stroller that is free in every single airport I've been to.
I was shocked to see it costs $7. The guy who (I presume) worked there sardonically exclaimed "Welcome to America."
Presumably you mean a “trolley” not a “stroller”, because strollers are for moving children not luggage
But yeah, free airport trolleys are are an easy marker of evolved civilisations, and the USA fails this test.
Countries that have passed this test for me that I can recall: Australia, Greece, Singapore, China, UK, Thailand, Italy, Spain…
Many new cars have a tire repair kit instead of spare tire nowadays. At least there is a compressor in the kit which you can use to inflate the tire.
Checking oil at once universal full-service gas stations used to be extremely common. Think it pretty much went away in late-70s petroleum shortage in the US. With modern cars, it just doesn't make a lot of sense given any semblance of scheduled maintenance adherence.
I (again) have a low pressure warning on one tire (getting colder in the Northern Hemisphere). It looks fine but I'll get my compressor out tomorrow and make the computer happy. A lot of modern tires can look pretty good even if, as you say, they can be quite a bit below recommended limits.
maybe an age thing? When I was in high school I worked at a gas station where we would pump the gas for customers at the "full service" lane and also check their oil. The game was to upsell people an oil change. Point is, everyone saw people getting their oil checked every time they filled the tank.
And checking tire pressure was a 1x/week thing.
My point was that this is not any sort of widespread normalized behavior in the US in the past few decades. I was responding to a comment preaching as if this was routine behavior, and that people not doing it are simply being "inattentive".
I do get that it used to be a thing in the past. But that was also when oil was rated for 3k miles (I think? maybe it was even lower) and engines would routinely burn oil (ie consume it without leaving a drip spot on the ground). Whereas in the modern day, 15k synthetic exists.
FWIW, I probably do more of my own maintenance than the median HNer. I'll admit I can let intervals slip more than I'd like and I'm working on that, but this idea that everyone is checking fluid levels all the time just seems wildly off base.
>Falling back to an attitude of not needing automation and instrumentation is a cope, and often a poor cope at that.
A lot of modern automation is not really automation. A washing machine is automation: it takes a task which would have wasted hours of your day and reduces it down to a few minutes. A lot of modern "automation" doesn't save you any actual time time, but just saves you from being attentive:
- Checking your tire pressure doesn't take much time, but TPMS is a privacy problem and an added maintenance cost that you cannot opt out of.
- A power rear lift gate actually takes _more_ time than just shutting it with your hands.
- Power windows don't go down any more quickly than power windows. The only only benefit here is that you can open all 4 windows simultaneously. However this is a luxury, not something which saves you time. You never _need_ all 4 windows down. So maybe people like it, but it's not like the washing machine that actually saves you labor.
- etc ....
People think that needed to do or attend to anything is wasting time, but often modern automation saves no time whatsoever, and has other downsides. (privacy, maintenance cost, vehicle weight, etc.)
As someone who grew up in the pre-power-window 1970s and 80s, they absolutely do save time. You have to remember that manual crank windows went along with a lack of air conditioning. Being able to quickly roll down the windows (especially all four at once) in a hot car mattered.
My 2003 s-10 has AC and crank windows, my 2007 Ranger did too. Power windows sure are nice when you want to talk to someone out the passenger side and you don't have a passenger though. Or if you want a breeze regardless of AC.
> Power windows sure are nice when you want to talk to someone out the passenger side
Presumably the fundamentalists think you just need to yell louder. With neo-luddite opposition like this, its no wonder the surveillance society is winning.
I mean, I could always stick my torso out my window and talk over the cab, I guess.
It takes real time to get out a pressure gauge and check the pressure on each wheel, no? Furthermore, attention itself is a limited resource.
For example, power windows were always handy when getting on/off the highway and coming up to a toll booth where I'd have to give/take a ticket. It's much easier to hold a button (or even have a latching button) while spending my attention on actually driving.
I have one car with TPMS that's entirely done through the ABS controller measuring the relative diameters of the wheels. That's not a privacy or cost problem. Furthermore the privacy problem where wireless TPMS sensors are interrogatable is better framed as a security vulnerability in their design, rather than something intrinsic.
Weight is a red herring as I'd guess the fuel savings from having properly inflated tires outweighs the fuel spent on the extra mass.
You don’t see people checking tire pressures where you live?
Tyre pressure sensors have done nothing to affect that.
Frankly? I do. Remove alcohol and drugs from the equation, and driving is an absurdly safe activity. Those intrusive features have very little to do with safety.
it may be better to code out TPMS anyways. I had a BMW that wouldn't allow you to enter Sport/Sport+ when TPMS light was on, what a drag.
Does TPMS have any connection to BMW traction control?
Yeah that’s great if you’re a CIA intelligence officer but what normal person can do this and still function in the modern world? Do the people who say this stuff leave their homes regularly?
And what’s the benefit of it all? Fewer targeted ads?
Leverage over your insurance provider sound good to you?
I am not sure how that works. I guessed I missed the technoparanoid discount.
But I would value the time and inconvenience involved in this at more than my entire insurance bill.
> Do the people who say this stuff leave their homes regularly?
Nope.
I like the rest of the comment, but...
>Did you know Orange dash error lights are non critical?
That's not even remotely true for most cars. One of the most critical alarms you can get in a car is a flashing check engine light, which are usually orange.
> Remove the antennas. Do not give in to the mirage of convenience.
ERROR: unable to start engine.
Please drink a verification can.
Actually I wonder if cars will just adopt "oh-you-need-anti-theft" like phones do. To prevent auto theft, all cars will be tracked and all parts must match serial numbers.
> To prevent auto theft, all cars will be tracked and all parts must match serial numbers.
Well, I suppose that's one way to end third party repairs. Just refuse to turn on if the chip in the new part doesn't match up with a code in the ECU. Like printer ink, but for every major component.
'Error, cannot start engine: Authorised mirror not found. Please visit BMW for an authentic replacement. Driving with non-authentic mirrors may harm user safety.'
In case of Subaru its "we are sorry your battery died trying to aggressively reconnect to the mothership, no we wont be paying for the replacement"
Ok stop with the panicking.
What's wrong with GPS in vehicles? If it's not connected to the internet, there is no issue.
What's wrong with playing music from the phone on Bluetooth or Aux? Did you also know you can ride a horse instead of a car?
Bluetooth and WiFi isn't running if you turned them off. Bluetooth also isn't really used for tracking unless someone is looking for you or you're part of some service like AirTags.
> Ignore your car's complaints and error messages. Did you know Orange dash error lights are non critical?
What? Worse advice out there regarding cars.
>What's wrong with GPS in vehicles? If it's not connected to the internet, there is no issue.
The GPS module is usually on the same board as the cellular module. Disconnecting the board (usually in the shark fin) disconnects the GPS module too.
>Bluetooth and WiFi isn't running if you turned them off.
BT and WiFi are running when turned off, at least on Android without extra opting out.
If it's not connected to the internet, there is no issue.
It's connected to the Internet. Every car has a SIM card now.
>It's connected to the Internet. Every car has a SIM card now.
Maybe every new car, but the average car is 13 years old, and the OP made no clarification on whether his advice was for only new cars, or for a 2015 econobox as well.
My car is older than that and came with an embedded SIM card. Quite a few navigation consoles had "live traffic updates" (often in trial format, but sometimes "lifetime") that basically consisted of 2G clients occasionally updating traffic data along planned routes. Not quite bottom of the line at the time, but also not uncommon at that point either. It's probably slightly worse than the dedicated satnav screens people were buying back when the car was new, although neither compares to what a smartphone will expose passively from just being inside of a moving car.
There's other ways to get local traffic data, too. For instance: Traffic Message Channel, which can be broadcast with RDS on an FM station, exists.
As long as stations persist that transmit the data (it's sent over RDS), then it will continue to work. There's no subscription involved (or at least, there isn't for my car -- it works where it works, and there's no mechanism by which to pay for using it).
The Wiki has some further reading on the technology: https://en.wikipedia.org/wiki/Traffic_message_channel
Probably the only good thing about this country shutting down the 2G and 3G networks now is all the spy devices that will go permanently offline.
On the one hand, they won't be able to communicate with the home base anymore. On the other hand, they'll light up the map like a Christmas tree if someone ever turns on a stingray in their vicinity.
Most people don't know, and will never know whether their car is connected to the internet, so it's better to assume it is unless you have specific information. The app or phone you connect to the car could also be a major exfil point of this data.
>Do not give in to the mirage of convenience.
I sympathise. However, being able to start de-icing my car while still in bed at 5:30 on a January morning is a powerful feature. And I'm the kind of person who wraps his tin foil hat no less than 10 layers thick.
Ideally this shouldn't involve the internet, because the car is in wifi range, but what can I do about it?
I have this with my keyfob.
later vehicles "helpfully" removed this in favor of online remote starting (with added telematics)
You could probably get a 3rd party remote starter, however that is going to certainly cost you extra and probably won't be as simple as old school remote starters.
People are suggesting all over these threads what we can do about it, but we (as a population) aren't. When my 2009 car dies, I'm going to deliberately NOT buy a new trackingmobile, and try to find another 2009 car to keep running. Yea, that means I occasionally need to take 30 seconds to scrape ice off the windshield. Big deal.
Why 2009? I've been driving the same 2003 Audi TT all my life, never failed me.
The number of cars from 2003 is already dwindling and it's only going to keep going down. It's certainly much easier to find cars from the late 00s-early 10s right now if your only priority is not being tracked or bound to a web of different digital services and subscriptions.
No, I will use all this stuff and do so gladly.
I won't mince words. This is criminal and should be dealt with that way. It is obvious I don't want my information collected and sold. I make it clear every reasonable chance I get. This goes beyond abuse of my privacy, this is digital assault and the company officers that allowed these 'features' should be thrown in jail for it.
Disabling the hardware can be really hard, my 2025 Toyota Sienna is always connected. You can't just pull a fuse or rip out an antenna, I have to take the entire dashboard apart to reach the Data Communication Module (DCM) module. If anyone's curious what that looks like, it's a little bit easier on the Toyota Tacoma, here are some pictures of the process: https://www.tacoma4g.com/forum/threads/disabling-dcm-telemat...
It's complex enough that I haven't done it yet in my Sienna, but I plan to!
On a 2021 Camry there is an below-dash fuse labeled "DCM" which you can remove (and it does disable OnStar/telemetry, but not sat.radio[0]) — it also disables one of the speakers (used for phone calls), which there is a bypass to resolve (but it still requires removing infotainment, so at that point just unplug it there.?!).
[0] It was my understanding that, like GPS-receivers, Sirius/XM was one-way streaming, only..?
There are GPS antennas that land on that DCM and the data from that is forwarded over carplay/android auto. Phones fall back to their onboard GPS but it's a much worse experience than we're accustomed to. If you share the car with someone expect complaints. Pulling the cell antenna(s) is the most elegant solution. People shouldn't be afraid of a little work.
I don't use cell phones but still this'll get me in the dashboard sooner than I had intended (never, before).
Hadn't really thought about the car broadcasting its bluetooth/RF . Is the SiriusXM traceable?
https://www.toyota.com/privacyvts/#:~:text=Declining,analysi... so you apparently have to opt-out of consenting to them tracking you...
as a professional diesel mechanic for a small chain of midwest shops, this "telematics" feature is on long-haul trucks as well as tractors (john deer is notorious for using it to send mail marketing about services.)
generally its not hard to disable.
- identify the telematics module in your car - pull the fuse (not always an option, sometimes this disables bluetooth)
- alternatively: identify the 1-2 SMC connectors on the telematics device. this is the LTE and low/alt channel for the cellular communications. disconnect these 1-2 connectors and connect the ports instead to a 50 ohm terminator. the vehicle will simply continue to collect data but never be able to send it anywhere. the system will assume it just cant find a tower.
I tried this with a wifi setup on a car charger. I connected a 50-ohm dummy load in place of the antenna using the mmcx connector.
It didn't work - there was an on-module antenna that it switched to. Might not have worked as well, but it did work and the wifi access point still showed up.
On the other hand, some cars have a self-contained telematics module like you said and you can just unpower the whole thing.
I remember looking at a ford owners manual for a 2019. The fusebox section had a fuse with description "Telematics control unit - modem." I assume you can just pull that fuse.
The Toyota community has been far down that road with the DCM module in the new gen cars and found that the car still managed to get updates out to Toyota even with 50 ohm terminating resistors in the antenna connectors: https://www.tacomaworld.com/threads/simpler-solution-for-dis... (see the posts by user "Disgruntled Scientist").
Unfortunately simply cutting power to the telematics module also disables the in-car microphone for handfree calling. Fully disabling telematics involves making a bypass harness that re-routes the microphone and speaker signals past the disabled DCM module.
Connecting to a dummy load is a pretty good idea I hadn't thought of (usually I just disconnect the cellular module).
Amazingly but perhaps not surprisingly, cars in the EU do similar amounts of spying on you, but the EU is silent. Car manufacturers pretty much run the EU.
Because the government wants the tracking. They want your car broadcasting its position.
I have an electric car and if I want to remotely turn on charging, it won’t allow me unless the full data sharing option is enabled. Full data as in your driving data like a black box logger. I then have to go in the car, enable it, then I can remotely turn on charging. I have to remember to opt-out again later. Ironic I know because I can turn on charging from within the cabin without having to enable any of the data collection. What an inconvenient experience.
So you're telling me that simply walking out to the car and hitting a button inside the car is just too much of an "inconvenient experience"?
You know we used to have to drive the car... sometimes many miles... to a station, get out, and fill it up with a liquid fuel that costs many times more, and then drive home...
Seriously now- The perceived 'inconvenience' you have is the reason that so many of these connected features are being pushed and then the because the ability is there the business types can't resist the data gathering that became possible because of all the antennas, etc.
But you’re also using this technological convenience to reply to me. You know we used to have pen and paper and horses.
False equivalence: you're saying you want the convenience of remote access without the price the manufacturer is charging (full data collection)
Yes, because it's entirely possible to do. Hell, the manufacturer even charged a price when you bought the car, or I can pay the $20 for my lifetime share of server usage.
What does "remotely turn on charging" mean? Doesn't charge when you plug in?
There are a few options. You can plug it in your garage and charging can automatically begin due to a set schedule, like after midnight, or you can initiate it on demand using the cabin controls or using your iPhone as a remote.
Which car is this?
Ford
I found the vehicleprivacyreport.com site awfully misleading. The "Vehicle Privacy Label" only lists what the manufacturer's current policies are, not what applies to my vehicle. It makes it seem like Toyota is somehow remotely collecting and sharings tons of information about my...2007 Prius. But this car came out in 2006, well before people assumed easy internet connectivity everywhere. Shy of having physical access to my vehicle, they can't read anything, but it's not easy to find that explanation on the site.
I'd like to see a website that ranks vehicles by make and model. That would influence shopping behaviors, and consumers would influence manufacturer behaviors.
The only company that appear to be taking a different tack on this are https://www.slate.auto
Anyone know of any others?
Nope, which is why I plan to get them as soon as AWD/4WD becomes an option.
I think it's wild that people spend their own money to surveil themselves every second they're near their car. Maybe I've seen too much lawyering on TV and in movies, but if I'm in a collision with you, I'm definitely asking the cops to pull the SD card from your dashcam.
Whenever I point out I think this self-surveillance is crazy, the response ends up sounding something like "oh, no big, if I think I did something wrong I'll just hide the evidence and lie to the police and say it doesn't work", which sure doesn't sit right with me.
Why do you think potentially self-incriminating self-surveillance is "crazy" when you also think lying to the cops and other involved parties about what happened is bad? If you believe it's important to tell the truth in these situations, you should have no problem providing your own recordings of a collision, regardless of who is at fault.
Or is your point just about the cost of the dashcam being "crazy"? In that case, hypothetically, what if your insurance company cut you a check to buy a dashcam of your own choice and install it on your car?
I think they're saying "I don't want to self-incriminate so I don't want to put myself in a situation where I have to lie". I'm not sure it's entirely consistent, but I also don't think it's entirely inconsistent.
If you believe you are at fault in a collision where police, insurance, etc. are involved, they are going to ask for your statement, and at that point you will be forced to choose between lying or admitting fault. If you're glad that no dashcam footage exists, presumably you are going to lie about what happened! I don't see why this is any different than popping the SD card out of your dashcam and lying about that too—you're still lying, and for the same reason: to evade responsibility for a collision you caused.
I think this is a pretty black and white and simple view of things, fault is not always 100% clear, and CLAIMING fault is different from explaining what happened _from your perspective_, and letting the other driver do the same. But I'm not actually speaking about simple fault in a basic traffic collision.
Obviously 99.999% of traffic collisions never get this far, but I'm speaking more of the world of courtroom legal drama where you'd rather not have your in-car conversations recorded, or the fact that you drove around the block of the house where the murder occurred at 3am.
I think there's a huge asymmetry between the upside of the dash cam and the downside of self-surveillance. I'm much more likely to be in a fender bender than accused of murder, but I also _simply don't care_ if the police say I'm at-fault when I don't think I was, driving my insurance rates up for a few years. But I'm deeply uncomfortable with the idea of recording myself 24x7 whenever I'm in my car.
> I think this is a pretty black and white and simple view of things, fault is not always 100% clear, and CLAIMING fault is different from explaining what happened _from your perspective_, and letting the other driver do the same. But I'm not actually speaking about simple fault in a basic traffic collision.
Seems like having video (and GPS speed, etc.) can only make it clearer who (which may include both parties) is at fault? I still don't see how that can be a bad thing if you also aren't interested in lying about what happened.
> I think there's a huge asymmetry between the upside of the dash cam and the downside of self-surveillance.
I almost addressed the generalized surveillance angle in my original comment, but didn't since it seemed that your comment was focused exclusively on the context of having been in a traffic collision.
Addressing it now, I guess I am just not too worried about this angle when my dashcam simply records videos onto an SD card that I have complete control over. If I was a person likely to be targeted by my authoritarian government, I would probably think twice about having such an unencrypted SD card sitting around where it might be swept up in a bogus search and used to gin up additional bogus charges against me, but that is currently not my situation. Really, I can only imagine the video evidence collected by my dashcam being used to exonerate me in a scenario like the one you describe, e.g. if an LPR tagged me on the block where the murder happened but my dashcam clearly showed that I was just passing through.
In fact, this exact thing recently happened (https://www.cbsnews.com/colorado/news/flock-cameras-lead-col...) to a woman who was falsely accused of theft based on LPR data and used her Rivian's dashcam recordings (among other data) to get the police to drop the charges. It's insane that this happened in the first place, but that's beside the point here.
Of course, people using cloud-based dashcams are certainly exposing themselves to dragnet surveillance—which I do have a problem with simply on principle—but the data on my dashcam's SD card are fundamentally inaccessible to law enforcement until they obtain it in a physical search of my car.
Nothing you can realistically do about it. In America car ownership for most people is mandatory. It’s unfortunate we don’t have alternatives if you disagree with car manufacturers extra “features”.
On the other hand, it is not mandatory to vote for politicians who continue to make our cities car centric.
You are not doing anything wrong if you are forced into buying a car due to the circumstances of your living. But voting to continue that makes your culpable.
So your plan would be to get rid of cars? Wow it's almost like government regulation imposed to dissuade people from free travel via personal automobiles through a thorough enshitification is working in the direction of their intent.
You mean they're actually asking for 15 minute cities? Yes sir, they are. Very good.
Well it's not free, we pay a lot of money to subsidize the highways and roads. If you like your highways and roads and want that freedom, what's better than having fewer cars on the road? That's one of the things that diverting some public funds from highways to other transportation options helps achieve. For those who could get to work or perhaps get to the grocery store by walking, biking, hopping on a bus, or taking a tram/street car that's cars off the road to make your life better.
The alternative is to be aware of this abuse and unplug the cellular modem. It requires more or less effort depending on the car, but it can and should be done.
It’s not a good alternative though because it puts you into a losing competition with the manufacturers. Take out the cellular modem? Next one requires connectivity to drive the car and so forth.
You could “ban” it, but the amount of effort required to raise public awareness for that and actually have our dickhead representatives due things like that is basically the same amount of effort, perhaps more, as building better cities and transportation modes.
We build and subsidize highways, we could do the same with other methods of transportation and have competition instead of big gubmint cars.
In many parts of the US, individual vehicles are the only viable mode of transportation. In fact, even in the NYC metro area, a car is pretty much indispensable, unless maybe you live in Manhattan and only rely on home delivery for groceries and the like. If you ever want to do anything outside of the city, you need a car.
Right which leaves us without alternatives and beholden to car manufacturers and their collective decisions.
>Take out the cellular modem? Next one requires connectivity to drive the car and so forth.
Find the cellular antenna and replace it with a dummy load. The car will think it's sending the data just fine but all it's doing is turning radio waves into heat.
And so on and so forth up until it’s just not worth the hassle as it even is today for most people. This isn’t a good problem to be solved with hacking. It’s a public policy problem.
Public policy is failing at the moment, so you have to take matters into your own hands. If enough people do this, then it will effectively become public policy. Inaction is not a solution.
I personally am, but there's only so much I can do. I am involved in our regional planning commission for transportation, and routinely write letters and call my representatives. I may donate some money to some of our local transportation organizations, but I'm not sure that's a good use of money yet so I haven't.
I agree with you in general though that public policy is failing. Specifically it's failing here where we continue to engage in and direct poor public policy positions because the government is very entrenched and addicted to spending taxpayer dollars. Asking the public to continue to play a catch up game of voiding their car warranty instead of actually solving the problem via policy is, in my view, simply not going to work.
We could lobby together for new federal and state laws to prohibit this kind of tracking without the affirmative consent of the purchaser—or, at the very least, make opt-out as easy as sending an email.
I wonder what the extremely rich do to get a car that isn’t a security risk? I’ve heard you can throw money at high end car dealerships to disable spying, but I wonder what the internal process is.
It's easier than that, you can remove the cellular modem. Dealers won't generally accept to make this mod, but any independent shop should be able to. There are also plenty of videos on YT to DIY.
I some months back called every independent EV mechanic I could find a listing for in my state to see if they would help me disable the cellular modem of any of the models I was interested in buying, and they mostly told me either that they couldn't or wouldn't. One of the more polite shops I got in touch with explained that many models don't have a separate board that can be disabled anymore, or otherwise have more things on the board that need to be talking on the CAN bus for other, actually important parts of the car to function. As such, I still have my old car.
Since then, I've learned about the 50ohm dummy antennas you can buy. I might try that if my car dies before an AWD/4WD Slate truck becomes an option, and also if my living situation can accommodate charging.
This will probably be a thing, but it's not clear that folks are cognizant of the risks yet.
I haven't heard this. Do you have any examples?
I thought about getting a traditional navigator to avoid even relying on phone navigation.
Well, of course all the Garmins and Tomtoms available now have "built-in wifi for updates" and often BT for phone notifications too. Sure, I could just not configure either but what if I want a navigator _without any radios_ and with controlled updates via SD card.
Maybe a dedicated Android phone in the car with offline OpenStreetMaps installed and airplane mode on is more realistic. Or some old 2nd hand navi that's still updateable.
I use an older Garmin, purchased from ebay. Works fine, updated maps via a laptop recently. Needed an extra SD cards for space.
You could use a GrapheneOS phone without SIM and OSMand for that.
The CCC had a nice talk last year about the data VW collects and what can be learned from it (all the data was unencrypted accessible): https://media.ccc.de/v/38c3-wir-wissen-wo-dein-auto-steht-vo...
(unfortunately it's in German - but there is an english live translation available)
Not driving seems to have worked pretty well thus far.
Here is something else you can do about it. By an older low mileage car. If we all did that the manufacturers would change tack soon enough
I did do this, but I also want a reasonable modern and safe car and in the EU, since 2018, that means a car with eCall. I have a 2017 that I will keep going as long as is economical, but after that, it will be nearly impossible to avoid these systems.
The idea that a 20 year old car is unsafe is auto industry FUD. Yes, there have been great safety advances since the 1970s and 1980s. They've kind of tapered off though. I would absolutely trust my family's lives in any year 2000+ vehicle.
> I would absolutely trust my family's lives in any year 2000+ vehicle.
I work partly in prehospital emergency medicine and I wouldn't.
I already feel uneasy with our 2017 EuroNCAP 5 star SUV due to the improvements since then, in particular AEB and increased structural crash-protection, which greatly change the injury profiles of accidents.
Airbag and crumple zone safety requirements for crashes that aren't head-on are much more recent than the 2000s. Many car makers designed their cars to pass those, but will leave you dead or worse if you get T-boned.
ABS wasn't even a requirement in the EU until 2004, and American cars could be sold without ABS all the way until 2012, when traction control was also made mandatory (which the EU then also followed).
Things like the slightly-angled side pole crash test was only added to the Euro NCAP in 2015 and was updated five years later to make it a bit more realistic, though cars still woefully fail in many real-life scenarios.
I wouldn't really consider a car "safe" unless it passes the ~2015 requirements for car safety well. A well-designed car full of optional safety features from the ~2010s is probably also safe, but I wouldn't count on it unless you've done research into it.
I believe Volvo has had a reputation of being ahead of the curve with these kinds of crash safety tests, but even they had to improve over time.
Of course, just because it wasn't a requirement to have ABS, doesn't mean your car doesn't have it...
There's a difference between "it might not have it" and "it definitely has it".
> that means a car with eCall
It can be removed/disabled. Given that we're talking about a used car, the warranty being void is not a problem either.
Is all of this data collection from the driving aids actually us doing R&D for their autonomous car projects?
people participating as beta testers with no way to opt out is absolutely the norm now.
from video games to software to “self-driving” cars, we’re all unpaid beta testers for unfinished and often unsafe products.
IIRC, Massachusetts passed a right-to-repair law a few years ago. Based upon the text of the law, all new cars purchased there have the spying disabled because they did not want to give up their proprietary info.
There have been a lot of court cases about that law by the manufacturers, so I do not know the status at this point.
So I wonder if that is still the case. If it is and an out of state person buys new there, will that "spying" remain disabled when they bring the car home ?
Theoretically, that should be a catch-22, right?
How would they know you're no longer in Massachusetts, without the spying enabled while within Massachusetts?
Because "spying" in this case means "sending data to the mothership."
It doesn't mean "the car's gps is disabled"
Perhaps. But what if a person living in Massachusetts travels to another state?
I found this when looking into it more: https://arstechnica.com/cars/2023/06/feds-tell-automakers-no...
"Now, according to Reuters, NHTSA has written to automakers to advise them not to comply with the Massachusetts law. Among its problems are the fact that someone “could utilize such open access to remotely command vehicles to operate dangerously, including attacking multiple vehicles concurrently,” and that “open access to vehicle manufacturers’ telematics offerings with the ability to remotely send commands allows for manipulation of systems on a vehicle, including safety-critical functions such as steering, acceleration, or braking.”
Faced with this dilemma, it’s quite possible the automakers will respond by simply disabling telematics and connected services for customers in the state. Subaru already took that step when it introduced its model year 2022 vehicles, and NHTSA says other OEMs may do the same."
It wouldn’t be surprising if cars also record audio of conversations to use for ad targeting. It has already been conclusively shown that TV companies have done this.
IIRC, Nissan even has a clause in their privacy policy for selling information about passengers having sex. Pretty hard to collect that without audio data.
> It has already been conclusively shown that TV companies have done this.
Can you elaborate? I don't think I've ever heard of this. When did it happen?
Interestingly I can't get ChatGPT to help me find a video showing me how to disable the cellular modem on my Subaru 2024 Crosstrek. Time to do some old-fashioned research, I guess...
https://chatgpt.com/share/692cde57-0930-800e-b45f-7a41ca5c8e...
Who cares about what ChatGPT can't do? It can't make me a sandwich either.
I ripped the wifi / onstar and gps antennas out of my 2020 Chevy Bolt the day after I bought it. Took me a couple of hours since the access was awful, but that's one time pain. No issues since, and I have a phone I use to drive the head unit so there was no need for those antennas to even exist.
I tried this once.
I got a tesla home charger and it had a unnecessary wifi AP that kept showing up in my house. So I figured, I would stop this.
Opened it up, and disconnected the wifi antenna mmcx connector.
Nope, seemed when unplugged, it would switch to an onboard antenna for the wifi module.
so I reconnected a dummy load antenna to the wifi module.
and it still used the onboard antenna.
at that point, I gave up.
I think there might have been a possibility of downgrading the firmware to an older version that could disable wifi, but I didn't try to find it.
I believe this kind of thing happens with onboard cellular, wifi and bt. They are more resilient to degraded or disconnected antennas than you think.
I went to Carvana to get some idea on what my car might be worth. I gave them the license plate, and it gave me a questionnaire about specific trim and options along with asking about the current mileage. I couldn't remember the exact figure so I guessed rounded to the thousand. The app complained and wouldn't take it as they knew the mileage which was some 150ish miles more. Apparently my car has reported the mileage last time I drive it, which has been about an hour before.
Carvana knew exactly how many miles I had driven within an hour of me driving my car.
So why did they have you fill in that field then?
For the same reason the IRS makes you fill out how much you made last year. They know—they know to the penny. But making you fill it out is a humiliation exercise so they can "catch you out" and intimidate you.
Well in the case of the IRS, that, and you know, Intuit.
You can simply not drive a modern car.
It's rather surprising/disappointing that "advice" like this makes no mention of how the automobile gains internet access
Does it (a) have it's own SIM card, (b) piggyback on driver/passenger/other vehicle SIM cards, (c) opportunistically connect to free wifi APs, etc.
Perhaps the surveillance data is only transmitted to the mothership when the automobile is being "serviced"
The automobile OS may be like the other corporate OS, e.g., iOS, iPadOS, Android, etc., in that there is no possible configuration or combination of user settings that does not allow data collection and surveillance for unlimited commercial purposes
Is there anything we can do about it short of avoiding new cars? Our legislators have proven unwilling to pass real privacy laws.
Yes - remove the telematics radio and GPS antennas. They are usually in the overhead console area around/behind the lighting and mirror controls.
In BMWs, the gps antenna is behind the upper lights, the telematics and V2V antenna is in the sharkfin(unplug it from underneath the headliner)
Giving car companies your money (and then modifying your car) is still rewarding car companies for their bad behavior. We really need to stop buying new cars and somehow make it clear that telematics are the reason, but it's never going to happen. Not enough people care, and of those who care, not enough of them care enough to stop buying these cars.
In some seem to be in the fin antenna:
https://m.youtube.com/watch?v=OqFdFO_STJ0
But what's the point if you're just going to use Android Auto or Apple's car-thing instead? You're just letting some other company invade your privacy.
Consent and convenience. When I use google maps, I am trading my privacy for accurate directions and traffic times. When I buy a car that sells my location, and I get nothing in return, I feel like the deal is inequitable.
OsmAnd works fine in Android Auto with WiFi and mobile data turned off. Sygic does too. I believe TomTom also sells navigation apps that will work fine under these conditions.
I use Android Auto mostly because I don't trust manufacturers of car components to maintain their software and to put more than bargain bin SoCs in their infotainment consoles. There's no need for your Android phone to have a connection to the outside world if all you're using it for is locally installed apps.
Assuming things much? It's actually totally reasonable to opt out of both of those, too.
Then on the other hand, who cares about those when your car is already tracking you? /s That kind of helpless reasoning needs to die.
In my BYD Seal, I removed the SIM card that's easily accessible from inside the armrest compartment.
Maybe there is a way to pollute the data? At least it makes data cleaning more expensive.
Ride a bike.
I've never had a driver's licence, lived in a zillion countries; don't think I could do that in America though.
Over half of New York City households are car-free. That jumps to 3/4 in Manhattan.
Millions of American households don’t have a car, but you rarely hear about it as a viable option.
NYC is the absolute best case in the US, if you're talking about the ability to exist without a car. It's not that no one talks about those millions of households, it's that they are all concentrated on a few standout islands (literally!) in a sea of the nearly identical car-only supermajority of cities. It's the exception to all exceptions.
Most people live on a few islands of density in a sea of nearly empty land in the US.
Most people live in cities, but the vast majority of American cities do not approach even 10% of the quality and availability of transit in NYC. That's why I said that NYC is a massive outlier among the rest of the US.
Because as soon as you leave a major metropolitan area, not having a car is almost a nonstarter.
It's the same in Europe, but people pushing an agenda don't talk about that either.
People who are "pushing an agenda" aren't arguing that there should be no cars ever, anywhere. Cars are the smallest-scale form of long-distance transport, they are unavoidable in low-density areas or for services that requires complete flexibility. All the agenda-pushers I've seen in real life are just saying that there's better options within cities, at least for a lot of people. Most of the time, most people only move within their cities, myself included. If transit within my city was in any way adequate, I would choose it over the car. I could cover those rare out-of-city edge cases with rentals or train travel.
Besides, it's not even the same in Europe. In a few countries, maybe, but in the majority the inter-city transit or transit within small towns is not even in the same universe as what's available in most of the US.
The US takes this to an entirely different level.
In places like Vegas, even on days with great weather, trying to WALK 2-3km in residential areas is a nightmare.
Over 100 million people live in just the top 20 metro areas alone. It's hardly an edge case.
And _not_ living in one of the top 20 metro areas is also hardly an edge case.
And even in most of those metros (OK. Leave aside Manhattan), not having a car tends to imply a lot of lifestyle choices in terms of activities, visiting friends outside of the metro, etc.
There are certainly people who are OK with living like they did in their urban school for a few years after graduation. But that's not a long-term solution for most people.
A massive chunk (if not majority?) of those top 20 metro areas are largely car dependent for most of their populations. Large areas don't have any public transit at all, and the rest is often designed to be actively hostile to pedestrians.
Try living without a car in these places, all in the 4th largest MSA.
https://maps.app.goo.gl/mHmGidZRJaKptHeL8
https://maps.app.goo.gl/5P4mW5iM6b5ab9Ve7
https://maps.app.goo.gl/JCiBgESKs5ZWqGny8
https://maps.app.goo.gl/E1iVwLCB28ooGhQL9
These are all in "urban" areas and a part of DFW. But how about Houston, the 5th?
https://maps.app.goo.gl/7yEAimERmyE1EGde6
https://maps.app.goo.gl/UKSQjPqifWUSv82H7
I don't know how one would even get groceries without a car.
And even then, you're then talking about less than 1/3 of Americans living in that mostly car dependent space.
I would argue that even in NYC, having a car is necessary if you ever want to leave NYC (and you will want to).
It’s not useful if you generally fly most places you travel to. An of course if you’re going months-years without using a car then renting becomes relatively more convenient.
"the best public transit in the densest US city barely manages to reach 50% of car-free lifestyle" is what you're leaving out.
A household not having a car is a much higher benchmark than being able to live a car free lifestyle.
It’s common for people to own a car and not use it for weeks, months, or in some cases years at a time.
Not possible when things are 10+ mile apart and a general grocery run takes 3+ hours and you can't carry more than a backpack, so you have to do it multiple times a week.
The US is ripe for an e-bike revolution. The distances, the wide roads with plenty of room for bike lanes, and the revulsion against things like Flock...
Unfortunately it's as likely as this being the year of the Linux desktop because Windows 11.
No. Enjoy the ride.
Defeatist and cowardly.
Given that GP is accepting a level of additional risk which you profess not to be willing to accept, perhaps "cowardly" is not the correct adjective.
Moving to the EU becomes a more appealing option every day.
Greetz from Germany, we have Chat Control now even though we've been trying to reject it for at least 3 years.
Autocracy is just everywhere these days, Noah get the boat.
The Chat Control problem isn't nearly as final as some news sources try to brand it. They were running up against deadlines and submitted their work knowing statistically their proposal would get shot down based on existing voting rounds.
I, too, would rather see this bullshit die in committee before reaching the next stage, but this bullshit can still be stopped.
This is false, https://news.ycombinator.com/item?id=46063166
No panacea here! Better in some points. In general privacy. OTOH many things are not afvancing.
In the EU, eCall is mandatory and disabling it fails most roadworthiness checks and voids most insurance policies, so it doesn't help much.
Also, while the EU does (for now) have stronger privacy protections for citizens against corporate interests, the opposite is true in most EU countries for Government surveillance.
eCall has very strong privacy protections, see Article 6: https://eur-lex.europa.eu/eli/reg/2015/758/oj
While eCall has some weak privacy protections (it's open to all the standard cellular network surveillance lawful in each country), it also means you cannot disable the vehicle's modem in most (maybe all) EU countries with failing roadworthiness checks and insurance policies.
eCall mustn't be active until an accident occurs. The lawful interception lobby tried hard to turn every car into a free data point they could sell to the government, but their efforts have failed.
Last I heard they've shifted their efforts to making remote activation of on-board cameras part of the 5/6G smart car bullshit (which will of course be part of road safety requirments not long after).
No, that's not correct. The eCall spec requires self-checks that include registering with the network on at least every ignition.
However, more importantly, it means you can't lawfully disable the modem that the manufacturer uses for its own telemetry.
Are you sure about that? My understanding was that the eCall self test does not connect to a network.
That’s stated on the eCall page linked above. Do you have a source that contradicts that?
Yes, I am sure.
Annex VII only rules out connecting to the PSAP/112 side, not routine network attaches. To detect faults in the “means of communication”, the IVS has to verify that the SIM, baseband and RF path are actually usable, and you can’t test that without a network attach.
In practice that’s what all current eCall implementations do. The modem attaches to the cellular network at each ignition so it can confirm it’s capable of placing an eCall. If you block the modem or antenna, the IVS fails its self-test and the vehicle is no longer roadworthy.
Does that mean the modem used for eCall is the same that is used to transmit telemetry? Because that's a level of shitty I hadn't even considered. That said, it would go against the spirit of the law as I read it.
There are always workarounds, of course, but that does pose an annoying problem to patch.
Yes, unfortunately in all modern calls there's a single Telematics Control Unit with a modem, GPS/GNSS, eCall (where required) and whatever OEM telemetry stack.
Like you say, there are always workarounds, but none that the home-gamer can safely or legally modify without taking eCall out of compliance.
There are standalone eCall units for retrofitting, e.g. [1] and likely soon more since 2G/3G gets phased out. Presumably you could disable the manufacturer’s built-in system and use standalone system instead?
[1] https://www.bosch-presse.de/pressportal/de/en/emergency-call...
This crap is being done because of EU rules. It's "for your protection." The vehicles are being secured from you.
https://www.coro.net/blog/what-new-eu-cybersecurity-rules-me...
https://www.dw.com/en/new-eu-cybersecurity-rules-push-carmak...
Cars, your TV, your phone, everything is fucking spying on you. At this moment I am more interested in how I generate a tsunami of more data about me to the powers that be to drown them in a deluge of irrelevant bits.
Yes, and that's very sad. However the solutions are pretty obvious:
Car -> unplug the cellular modem (more or less easy)
TV -> used as dumb monitor with a Linux HTPC
Phone -> GrapheneOS
PC -> Linux
Social media -> /dev/null
Email/DNS/cloud -> my own
The real issue is that most people are not aware of these issues and may even (unintentionally) compromise your own privacy by posting information or pictures of you to Facebook or other similar places.
> Social media -> /dev/null
That made me chuckle, absolutely right though!
I love how these comments are made on a social media website.
HN is not a social media platform in the traditional sense. For one, it is completely anonymous, unless your "handle" is somehow linked to a real identity (by choice or otherwise). It's very, very different from posting every aspect of your life on a platform like Facebook.
Anonymousness does not make a platform unsocial (Twitter, 4chan, 8chan, reddit, HN, IRC, PlentyOfFish, X, Instagram, TikTok, Snapchat, Tinder, StumbleUpon, FourSquare, BeReal, WhatsApp, democratic voting, any forum, YouTube, Wikipedia, any BBS)
For most people, it's all irrelevant.
I'm surprised how many people think that keeping a low profile will matter in a society that attacks people for things you could discover from vehicle position data. In that society, you'll get attacked if someone wants to do it and they'll manufacture the pretext.
I think the attack vector most are considering are going to be government-sourced mass-targeting of individuals based on data triggers rather than any particular interest in the individual. The current example being many of the 12,000 annual arrests in the UK for online speech, many based on private messages. For many of those cases, these were private individuals in whom the government had no prior interest.
It's not difficult to imagine something like pandemic restrictions, where a digitally-enabled government could fine/arrest people based on location data, either because they travelled outside an allowed area or into a restricted one. Or they have data showing they were in close-proximity with too many people etc etc.
No doubt about this one. But, how much are the ubiquitous ride-for-hire e-scooters spying on you, and everyone else on the street?
Those e-scooters are a red herring. Ring cameras on everyone's front door and automated license plate readers (ALPR) on police vehicles and Flock cameras throughout cities are bigger concerns in America.
Flock is already known to assist the government surveilling protestors:
- [CBP is monitoring US drivers and detaining those with suspicious travel patterns](https://news.ycombinator.com/item?id=45996860)
- [How Cops Are Using Flock Safety's ALPR Network to Surveil Protesters and Activists](https://www.eff.org/deeplinks/2025/11/how-cops-are-using-flo...)
- [Amazon has a form so police can get my (Ring) data without permission or a warrant](https://www.theverge.com/2022/7/14/23219419/amazon-ring-law-...)
The even worse part of Flock isn't that they cooperate with the government, it's that there is(or was) basically no security in the service. Cops from one state can/could use flock services from other states. A few cops got caught stalking via Flock.
Flock takes the "do nothing until forced to" mentality.
Enough to make sure the kids won't undercut the cartel this time around.
It's where we are. Everything everywhere is collecting data and spying.
If it exists in a database, then the government has access to that database if it ever wants to legally or otherwise. It's been like that since 9:11 and probably before.
All we need now is for the right person to walk in and turn the key. We're lucky that Donald Trump is probably too stupid to understand what he's got under his thumb.
He's a useful president surrounded by smarter people who will figure out ways to use this data rather than sit around tweeting all day.
Comment of the year.
There is spying and there is spying
Back in august IDF banned Chinese cars from entering bases
https://www.jns.org/report-idf-bans-chinese-cars-from-bases-...
And now banned then from used by officers
https://securityboulevard.com/2025/11/why-israel-just-banned...
I wonder what IDF knows
Tesla cars to be banned from Chinese government buildings amid security fears.
I wonder what China knows :)
https://www.drive.com.au/news/tesla-vehicles-to-face-entry-b...
At consumer level - Tesla has been leader here for many years.
How do you write an article about this and not mention the GDPR or EU privacy laws?
>"It’s hard to figure out exactly how much data a modern car is collecting on you"
You are a globally operating news agency. You can absolutely get some GDPR requests in and look at it. What kind of reporting is this? "We don"t know, but we also have not tried the one way which forces companies to answer this question".
BMW is a German company, just ask them for the information they have on you and they are forced to give it to you.
Mozilla's concentrated efforts took a while, they're right that it's hard to figure out exactly what car manufacturers are doing. Unless you're willing to sue a bunch of them, plain GDPR requests won't be enough to get this information. Companies will happily lie or declare information collected as "non-personal" or "trade secrets" and if they're smart enough about the way they process their data they can probably convince a judge that the end result isn't personal enough that exposing their trade secrets weighs up against the GDPR.
There's no way even a large news corporation is going to buy every model car from every brand that comes out in a year to get the legal rights to demand data, let alone pursue these data requests in court. Renting cars may be easier, but then your contract is with the rental company and they're responsible for getting you the information you require, and after the first three PII requests you're not going to be renting from them any time soon.
I'm not saying they couldn't do a deeper dive with more detailed research, but it's not an easy task to evaluate an industry like this. All they'll be able to produce is general statements about a limited set of car models that'll quickly be outdated once the next software update comes out.
Remove the modem
Not always possible, depending on model, skill level, and/or availability of a mechanic that's willing to try. My own search for a mechanic to mod any of the cars I was looking at buying was fruitless and left me with the decision to hold onto my gas guzzler for a while longer.
The problem is a lot of the features of these cars require you to opt into giving your privacy away. And when you’re shopping it’s not clear where that line is.
modern tech enables an actual mind reading - while you bicker around about vehicle telematics and bluetooth beacon signals
nothing. And banning ALPR wont fix anything either. All cars have 4 unique serial numbers broadcast via radio at all times via the TPMS system. you don't even need a camera, just a radio receiver.
Checked how to receive those with SDR. Turns out they are very low power and you need to basically touch the tire. Also the transmit in minute intervals. Bit exactly a a smoking gun in terms of mass surveillance.
TPMS doesn't need to be unencrypted like that, although many car manufacturers do like to save a buck.
If you get a car old enough, you won't need to worry about TPMS (but that car will not have been tested against recent crash test scenarios).
TPMS is over the air, each sesnor has a 32 bit unique ID. you have 4 per car... its easy to identify
Depends on the TPMS implementation to be honest. Most of the UHF ones are impossible to receive unless you're using some optimally placed/pretty powerful equipment. Even then, the protocol is entirely up to the vendor, as long as the system is reliable.
My car is old enough that it doesn't have TPMS sensors but I have looked into third party ones. It looks like there's all kinds of systems, from custom UHF to Bluetooth LE. No idea what your car uses.
> banning ALPR wont fix anything either.
Ideally the implementation would be immaterial to a ban. The ban (or more likely first, warrant requirement similar to cell data) would be on the tracking database, not the details of how the tracking was accomplished.
> All cars have 4 unique serial numbers broadcast via radio at all times via the TPMS system.
Mine doesn't.
do you have some sort of indirect tire pressure checking like wheel speed?
No, I have a tyre pressure gauge. Every so often I check the tyre pressures and maybe stick a bit more in if it needs it.
Some VWs used to use wheel speed, though, which was fun because they added tyre pressure checking with a software upgrade. Not terribly accurate, but enough to tell you if one was low.
A 2013 Chevy Volt has a camera on the dashboard pointed at the driver. The entertainment dashboard has a dozen communication options, including those for safety? Zealots and the unhinged will quickly comment no doubt, but for the rational citizens I ask, when was this normalized? Was it automakers emboldened by the acceptance of cell phone central record keeping?
"Safety" is a magic word like "god" was a thousand years ago. If you say it just right you can manufacture an excuse to do all sorts of stuff that'll clearly lead to bad stuff if left to run.
They undoubtably said things like "if it saves even one person from falling asleep at the wheel it's worth it" or something along those lines.
this is still a technology advancement... what if smartphone usage or asleep safely stops the car? what if this run locally? or what if it's linked to public entities that will add penalty points to your license?
as a cyclist and public transport user with no driver license, i hope personal vehicles have so much sensors that they can detect if you are drunk or stressed and limit your reaches. fuck your metallic beetle
>as a cyclist and public transport user with no driver license, i hope personal vehicles have so much sensors that they can detect if you are drunk or stressed and limit your reaches. fuck your metallic beetle
What a great illustration of the sort of selfish opinions that people like to peddle under the guise of perceived common good.
Are you willing to have your bike brakes linked up with GPS and red light signals? It's in the name of safety and progress after all.
in a city that doesn't produce even 1/25 of microplastic thousand kilos vehicles produce? because that also has an impact on marine ecosystems, by the way, cars are linked as one of the highest if not the, pollutants of microplastic. in a city that doesn't have air pollution linked towards a bunch of disease? in a city that doesn't have noise pollution that also has a bazinga of negative impact?
are you really naive to believe cyclists wouldn't respect traffic lights on a city designed after walk and public transportation? or are you thinking on the minimal cyclists that get killed by tresspasing this rule by vehicles that get a mild scratch? or the light or mild injuries bicycles at 15-25 km/h are gonna cause between each other?
edit: i would even go further and hope personal vehicles production is ceased and their circulation becomes a crime for citizens on non-legal or non essential services duties. i would live perfectly fine in a city without those but who controls the speed of my bicycle on cycle paths or that lock my brakes if i try to cycle high
You didn't answer his question: Would you be willing to have your bicycle brakes linked up with GPS and red light signals? Or loaded down with sensors monitoring and correcting your bicycling activity for your own safety?
Even just cycle number plates.
> are you really naive to believe cyclists wouldn't respect traffic lights on a city designed after walk and public transportation? or are you thinking on the minimal cyclists that get killed by tresspasing this rule by vehicles that get a mild scratch? or the light or mild injuries bicycles at 15-25 km/h are gonna cause between each other?
An excellent demonstration of "cyclebrain syndrome", the urban twin to suburbia's "carbrain syndrome".
> are you really naive to believe cyclists wouldn't respect traffic lights on a city designed after walk and public transportation?
Translation: I am aware of cyclists' ubiquitous poor behavior on the roads but will reach for any justification to shift responsibility to someone else. "Drivers wouldn't be running red lights if you just added a couple more lanes, bro."
> or are you thinking on the minimal cyclists that get killed by tresspasing this rule by vehicles that get a mild scratch?
Translation: And when cyclists' poor behavior causes a fatal collision with a car, nobody cares about the damaged property. Or the mental anguish, or the collisions caused by narrowly avoiding killing an errant cyclist (who survives, oblivious, thanks to the driver's quick action choosing a more costly crash over a "mild scratch" that kills the cyclist).
> or the light or mild injuries bicycles at 15-25 km/h are gonna cause between each other?
Translation: I don't give a shit about killing/injuring pedestrians any more than car drivers do. I only care about collisions with things that are about the size of my vehicle or bigger. And if those other things are bigger than my vehicle--I want them banned! That way I reduce the risk to me, which is what I really care about, and who cares what happens to anything smaller than me?
I don't totally disagree.
The USA was designed by Ford motor company, for cars, by cars. That was a mistake.
> Zealots and the unhinged will quickly comment no doubt, but for the rational citizens I ask, when was this normalized?
[laughs in unhinged zealot]
don't buy a modern car
so ya!
My house is fairly close((125') to a rural "highway", and only internet here is mobile data that my phone shares with other devices and mornings(anytime) my older desktop with 2.5 ghz wifi gets bumped off with the passing of every car that has glaring supper white headlights,but, not the ones running yellow incandecents, whatever rf signal is comming of these things must be barely, or completly illegal, and could obviously be tracked in any number of ways, so not so much bieng spied on, as just flat out trasmitting everything you do in ridiculously fine grained detail.
> The first thing drivers should do is be aware of what data their car is collecting
> You can opt out
lol
this makes it seem so simple.
I think
- you will never be aware of what data is collected - they want to collect more data and never disclose it
- you will never be able to opt-out. Even if you disconnect from cellular, at service time they will just download what is there.
- car manufacturers will use any and all data to their benefit
You know, here's an interesting story I remember reading:
I will give you a story - buddy owns a shop - buys new M5 - he went out joyriding - warped a rotor - he said it was not from him so he tried a warranty service - BMW printed a page that his car recorded. It had snapped a pic of his face and sent all the data on speed, location, etc every bit of data you can think of to the dealer and his insurance company. He sold the car. That was years ago. Ask any custom tuner today if they can touch a 22 BMW. Nope. It will disable the car if you try and get into the CPU to tune it. This is where the industry is heading
from: https://www.fordtremor.com/threads/disabling-the-modem-pulli...
Similar story with a user's earlier Model S - they used to drive it like they were being chased by the cops, and so when it was time to swap the degraded battery under warranty, (as they said) "a nerd" came out of the back of the service center "with a bunch of paperwork from the database" and Tesla denied the claim.
The problem is that with Flock, you’re basically being tracked incessantly anyways, so who cares if the automaker also does it?
We need to resist this stuff or else there will be Flock, stalker cars, and some other new nightmare they excuse by saying “well we’re already watching…”. Can’t let ourselves accept this is normal!
How do you resist automated license plate readers? Not having license plates doesn't seem practical.
That's the slippery slope of shrugging your shoulders.
I worked on the data platform at a smaller car co, and there were tight controls around getting access to precise geo data, and there were strong privacy advocates at higher levels. Wasn’t a perfect system, but “spying” would be far from what I saw
The car data collection story is concerning, but it's part of a broader pattern: credentials and personal data are scattered across dozens of services we interact with daily.
The automotive example shows how even "non-tech" products now collect and transmit data. Each service creates another attack surface, another set of credentials to manage, another potential breach vector.
What's frustrating is that breach response still falls on individuals. When one of these services gets compromised, it's users who have to scramble to change passwords across potentially hundreds of connected accounts. The "change your password" advice is good but wildly impractical at scale.