Mozilla on Cars and Privacy

[vdeane]

A report from Mozilla recently came out and they found that cars are the worst product with respect to user privacy they have ever reviewed.  Basically, avoid connecting your phone to your car or any car with connected features, because the automakers are taking all your data (and that of your passengers, too) and selling it.  One even charges a subscription fee to delete the data if you ever get rid of the car for any reason.

https://foundation.mozilla.org/en/privacynotincluded/articles/its-official-cars-are-the-worst-product-category-we-have-ever-reviewed-for-privacy/

Seriously, this is scary, and it's making me think I should keep my current (2014) Civic forever, no matter the cost or whether it becomes completely unsuitable for roadtrips at some point.  At least I don't have any of the connected car, cameras/microphones recording me, etc. garbage.

[Scott5114]

If Mozilla made a car I would happily buy it (even though it would probably be a little slower and use up more space than other cars).

[wanderer2575]

I (maybe) want to know how the car is obtaining data on one's sex life.  Are there sensors in the back seat that measure how much it rocks and how much, uh, moisture gets on them?

[kalvado]

I (maybe) want to know how the car is obtaining data on one's sex life.  Are there sensors in the back seat that measure how much it rocks and how much, uh, moisture gets on them?

There are weight sensors in seats... 
On a more serious notice, Subaru (that's what I drive) can collect "audio recordings of vehicle occupants". On an optimistic side, that may be voice recognition function. On a pessimistic...
They don't like how Subaru app policy is written - but MySubaru was the only app I saw with less than 2 stars of reviews and it lasted a single ride for me.
Now, car knows its VIN, and that allows a lot of information to be extracted - owner name, address; if I used financing to buy it - SSN and bank info can be matched as well. 

Then each modern car has an independent internet connection, and possibly a GPS.. WHat goes over that network connection is beyond any control....

[vdeane]

Incidentally, there isn't a way for a system to listen for voice commands but not pick up other audio.  As a practical matter, it hears all, it's just a question of whether it's recorded and/or phones home when not responding to a command.

As for the sex life thing?  Probably an overzealous lawyer (as noted on this week's Security Now) adding it in "just in case", but the technology certainly exists that it could be inferred.

[kalvado]

Incidentally, there isn't a way for a system to listen for voice commands but not pick up other audio.  As a practical matter, it hears all, it's just a question of whether it's recorded and/or phones home when not responding to a command.

As for the sex life thing?  Probably an overzealous lawyer (as noted on this week's Security Now) adding it in "just in case", but the technology certainly exists that it could be inferred.

In my case voice recognition in a car is activated by a physical button, not by a codeword. So at least in theory there is no need to listen nonstop. But a physical switch for the microphone would be good

[ZLoth]

What does Mozilla say on the data that is collected from utilizing those streaming apps?

Also, it's not too much of a surprise that the car companies are trying to figure out how to "monetarize" post-purchase, and that they tend to use years-old yet proven technology. Some of it is due to the hash weather conditions, and some of it is safety related.

[SectorZ]

With cars coming from places like China and Vietnam, the worst is probably yet to come.

[kalvado]

With cars coming from places like China and Vietnam, the worst is probably yet to come.

I really don't understand this fear.
Imagine your device hearing your wife complaining about your declining..ehh... vision, and device sends that to China. The worst thing they can do is show you some enl@... https://www.zennioptical.com/ ads.
Now imagine your Ford hearing you complain about crypto investment, and that information gets to Chase somehow... Good luck with your next car financing... 

[1995hoo]

Incidentally, there isn't a way for a system to listen for voice commands but not pick up other audio.  As a practical matter, it hears all, it's just a question of whether it's recorded and/or phones home when not responding to a command.

As for the sex life thing?  Probably an overzealous lawyer (as noted on this week's Security Now) adding it in "just in case", but the technology certainly exists that it could be inferred.

While it's not an app to which I pay a lot of attention, I know the "Health" app on the iPhone has a section in which you can track your sexual activity (why anyone would do this is not clear to me except, perhaps, (a) if someone is really religious about tracking every calorie burned or (b) someone is practicing the rhythm method–the latter further relevant because the app also allows women to track their "time of the month," which is of course another feature to which I pay no attention). Apple says any data you enter in the app is encrypted and secure, but perhaps the concern is either that it's not true or that someone will get past whatever measures the app employs.

[GaryV]

"Health" app on the iPhone has a section in which you can track your sexual activity //snip// the app is encrypted and secure, but perhaps the concern is either that it's not true or that someone will get past whatever measures the app employs.

I wonder how many, thinking someone is "watching", might overexaggerate the amount and duration of said activity. 

[Scott5114]

...the latter further relevant because the app also allows women to track their "time of the month," which is of course another feature to which I pay no attention). Apple says any data you enter in the app is encrypted and secure, but perhaps the concern is either that it's not true or that someone will get past whatever measures the app employs.

I have seen some people online advocate against the use of digital period trackers out of a fear they may be subpoenaed by state governments to be used as evidence against someone seeking an abortion. I'm not sure if Apple's encryption would do anything to render complying with such a subpoena (whether for that reason or any other) impossible.

[kalvado]

...the latter further relevant because the app also allows women to track their "time of the month," which is of course another feature to which I pay no attention). Apple says any data you enter in the app is encrypted and secure, but perhaps the concern is either that it's not true or that someone will get past whatever measures the app employs.

I have seen some people online advocate against the use of digital period trackers out of a fear they may be subpoenaed by state governments to be used as evidence against someone seeking an abortion. I'm not sure if Apple's encryption would do anything to render complying with such a subpoena (whether for that reason or any other) impossible.

While government may be crazy, and Apple has it's privacy policies...
I never understood why such information (including health, personal finance etc) has to be in the cloud. Bank account is sort of in a cloud inherently, but my  records on how much is spent on milk, on alcohol, and prostitutes gas, and car repairs don't have to. 
If they are offline on my device government may still get a search warrant though. If they are on paper, government still may try to find them...  The Fifth amendment will protect you if nothing is on paper, though.... 

[1995hoo]

"Health" app on the iPhone has a section in which you can track your sexual activity //snip// the app is encrypted and secure, but perhaps the concern is either that it's not true or that someone will get past whatever measures the app employs.

I wonder how many, thinking someone is "watching", might overexaggerate the amount and duration of said activity. 

Your use of that //snip// in the quotation has me envisioning either a vasectomy- or circumcision-related app, given the overall direction this discussion took.

[vdeane]

The Fifth amendment will protect you if nothing is on paper, though.... 

To an extent, not absolute.  The Fifth Amendment means they can't force you to disclose a password, but it doesn't prevent them from hacking in (if they have a warrant), or forcing you to use other means of unlocking your device (this is why security experts actually advise against using your face or fingerprint as the sole way of unlocking your devices).  And, of course, they can get anything in the cloud simply by asking for it from your cloud provider.  You don't get protections from that because you aren't testifying and the provider doesn't either because it isn't self-incrimination.  Quite a loophole, if you ask me.

[kalvado]

The Fifth amendment will protect you if nothing is on paper, though.... 

To an extent, not absolute.  The Fifth Amendment means they can't force you to disclose a password, but it doesn't prevent them from hacking in (if they have a warrant), or forcing you to use other means of unlocking your device (this is why security experts actually advise against using your face or fingerprint as the sole way of unlocking your devices).  And, of course, they can get anything in the cloud simply by asking for it from your cloud provider.  You don't get protections from that because you aren't testifying and the provider doesn't either because it isn't self-incrimination.  Quite a loophole, if you ask me.

I was referring to situation where nothing is on paper and nothing is on the device - but everything is on your head.. then it really works!