auto manufacturers had violated Washington state’s privacy laws by using vehicles’ on-board infotainment systems to record and intercept customers’ private text messages and mobile phone call logs.
But the appellate judge ruled Tuesday that the interception and recording of mobile phone activity did not meet the Washington Privacy Act’s standard
Privacy is a fundamental human right.
Just not in Usa, as it seems. Here it is indeed the law that needs to be fixed.
“An Annapolis, Maryland-based company, Berla Corporation, provides the technology to some car manufacturers but does not offer it to the general public, the lawsuit said. Once messages are downloaded, Berla’s software makes it impossible for vehicle owners to access their communications and call logs but does provide law enforcement with access, the lawsuit said.”
What would be the point of downloading the communications and call logs to begin with if the owner can’t access then?
I'd be interested in seeing the number of E2EE enabled accounts used for criminal activity versus the number of regular ol' free Gmail, Yahoo, Outlook etc accounts. Governments absolutely have a hate-on for E2EE, so the police calling out these services specifically raises questions of motive.
Not that we should not be shutting down criminals... but this sort of framing tends to suggest that E2EE services are inherently criminal enabling, and that does not feel like a mistake.
Forgive my question, but if the email is encrypted and the service is unable to read it, how are they sure the accounts in question are criminal? How would they know any account was?
This is confusing to me so I am grateful for any insight.
There’s typically reason to suspect the account owner first. They’re not trawling through random accounts, law enforcement doesn’t have the time or authority to do that. Note that intelligence agencies are not law enforcement, I’m not talking about what some spy agencies might do.
Since this is law enforcement, typically you don’t have a verdict to rely on, but they’d have a warrant or subpoena to get the necessary evidence to further the case.
If an email address is being used for fraud, they don't need to see the encrypted copy; they can see the copy sent out to other people from that address. So if I send you a message from my Protonmail to your Gmail, the following is true:
Copy @ Protonmail: E2EE.
Copy @ Gmail: NOT E2EE.
There are other, circumstantial ways to tell as well. If you're trying to scam people with DudeBro Cryptocurrency, you necessarily reveal the address you use when you send our your spam or scams. If I send malware from notactuallydiotima@proton.me, the proof that I sent the malware does not require you to see my server stored mail; you can just look at your own copy to see.
Yes, the “to address” cannot be encrypted as it is necessary to deliver the mail, the “from address” are needed to send a notification when the “to address” doesn’t exist.
Technically, the “from address” probably can be encrypted, like in signal; but I think it is required in the current email standard.
Surely Proton also receives the mails in plaintext? There’s no E2EE about it. You have to take their word that they encrypt it and discard the plaintext data.
That only helps when there's viable alternatives. Since pretty much all auto manufacturers do something like this it's not really a distinguishing feature.
And even if it was: how much worse/more expensive would a car need to be for you to not pick it over one that reads your text messages. And then ask the same question not for "you", but for the average consumer. Then be sad ...
Yeah but the vast majority of car buyers won’t know about this or care. We’re all privacy advocates here but everyone and their mother is on Facebook or Instagram and is happily giving away all their information already anyway.
We’re all up in arms about this here in this thread, located in a self-selecting micro-community of people centered around a shared interest in the control of our data. If you called your mother and told her about this would it stop her from buying a new car in the future?
Disappointing result but this seems like something for the legislature to fix. Courts aren’t always the solution, sometimes you have to just fix the damn law.
You are implying that any data gathered will be delivered to the government upon request (unsure if you are implying with or without a warrant). If you can show me from this article, or even this case, regarding this privacy case that that happened, then yes I agree with you and the fourth amendment applies.
But this issue is between private entities which generally precludes amendments from being applicable. Specifically, the plaintiffs alleged that the infotainment systems collected and stored personal data without consent and violated Washington’s Privacy Act.
An Annapolis, Maryland-based company, Berla Corporation, provides the technology to some car manufacturers but does not offer it to the general public, the lawsuit said. Once messages are downloaded, Berla’s software makes it impossible for vehicle owners to access their communications and call logs but does provide law enforcement with access, the lawsuit said.
The Fourth Amendment will affect police, but it won’t restrict a random person who is given access to something from turning over whatever data they want to police.
Say I hire a painter, and the painter is painting my house’s interior, and sees a bloody knife in my house. He can report that to the police. But, remove the painter from the picture, and the police could not enter to look for such a thing absent a warrant.
'course, the flip side of that is that if the police get a warrant, then they can enter whether I want them in the house or not, whereas the painter can only enter because I choose to let him in.
Not just police, any armed investigatory unit or state sponsored militia. The idea of a “police” force was pretty vague at the time, so the umbrella covers much more than it initially intended to.
You’re getting a bit off-track here. The scenario is this: the company that provides the software for your care collects data. This part is unconcerned with Amendment 4. Amendment 4 prohibits the State from collecting information and searching unreasonably. It does not prohibit the private company that provides the software from doing so. That is what privacy laws are intended to protect against, not Amendment 4.
Amendment 4 also does not prevent the company that collected that data from providing it to the police upon request. Amendment 4 (and the rest of the US Constitution) applies only to the State. Private companies and private individuals are not bound by it.
You’re willingly giving this data to the manufacturer, at which point they’re free to do with that data whatever they please, according to the terms of the agreement you sign, including giving that data to government authorities. The government isn’t unlawfully searching and seizing because they aren’t even forcing the manufacturer to give up the data, they are freely giving it as they are allowed.
This isn’t to say I’m defending the privacy violations or the government, but it is the case that this situation isn’t protected by the constitution, we have to and should make a specific law for it.
Amendment 4 does not apply to the practices of a private company. That’s what privacy legislation is intended to protect against. Amendment 4 only applies to spying done by the State.
If you want to call it that, you can. The State spying by proxy (paying or asking companies for info) is legal and not prohibited by Amendment 4. Amendment 4 does not protect the subjects of information. It protects the controllers of information (which would be the car company).
If the purpose of collecting the data by private companies is to somehow make money, do you think that sharing this data, or conclusions based on this data, somehow manages to exclude access of governmental agencies? I’ve never gotten the impression that CIA/NSA would ever willingly play nice.
Government agencies paying private companies for your information, or even just asking for it in exchange for something or nothing is legal. That’s because nothing was searched unreasonably (because consent was given by the controller of the information) nor was anything seized against the controller’s will.
You are not in the picture. The information might be about you but you don’t control the information, the car company does. From a legal standpoint, you are irrelevant for the purposes of Amendment 4 protection.
Amendment 4 protects the controller of the information from Government seizure but does not protect the subject of that information. Privacy laws are what are intended to protect the subjects of information. There is some overlap of course. For example, your computer has lots of information about you and what you did in the past. You would be both the subject of the information and the controller (since it’s stored on your computer).
Please remember, I am describing what the law is, not what it should be.
Correct and it is not illegal. It is an invasion of privacy but the law doesn’t prohibit that. Amendment 4 covers the Government doing it without the permission of the person who controls the information. It refers to “can the Government bust in or sneak in to get info”, not “can the Government make clandestine deals to buy info for surveillance purposes”.
Just like with the first amendment, it doesn’t apply to private companies. The point is to prevent the government from passing tyrannical laws, it was never meant to district the activity of private citizens.
This is clearly and overtly a decision intended to protect the ability of government to conduct warrantless searches by purchase or subpoena of third party information…
An equivalent tech that would put text messages of government personnel into corporate hands would be labelled a serious threat and addressed with specific legislation.
This makes perfect sense to me. If you plug your phone in to your car and give it permission to access all your shit, then it will access all your shit, and store it locally so that it doesn’t have to re-download all your shit every time. If you don’t want your car to do that, then don’t plug in your phone and give it permission to do that.
Having said that, it is terrifying how much of our personal data modern cars collect. We should be fighting that, but this specific case was not the way to do that.
Seriously, these cases seem like giant nothingburgers.
Did you expect that your car wouldn’t have your text message when it’s displaying it on the screen or reading it out loud?
Now, is there malicious intent? Can they be retrieved by technicians at the dealership if your phone isn’t plugged in? Is it forwarding them back to Honda Corporate or Zuck himself? If so, that’s a significant problem that would probably belong to Android Auto and Apple CarPlay…they should be storing them encrypted and only be able to decrypt them when the phone is connected. But I don’t see any mention of that in the article.
I expect to have access to all of my data that the system retains. I expect them to not share my text messages with anyone else. I expect to have the ability to manually delete data.
I prefer that it doesn’t retain information any longer than I have use for it.
But tons of stuff would have to get sync’s every time you connect your phone. Better to have them cached, encrypted at rest, decrypted by key stored in the phone, and just do a diff-sync.
This should be very easily possible with CarPlay and Android Auto. I have no idea if it does or not. But as Apple and Android both control both their respective app and the OS of the attached phone, there’s no reason it can’t (and even pre-compile diff packages for known cars, or expire and purge both sides after X days without a connection)
That may not be true for regular old Bluetooth though…which likely has more to gain in performance from caching the resources due to BTs limited throughput, but also has to conform to standards.
What would even need to be cached? Text is text, you shouldn’t need MMS besides maybe voice, media is streaming anyway, and maps are, again, text. Anything else, your phone is easier and faster, and probably works better.
There’s really no reason to cache anything more than a day old. And if you’re using Android Auto, the car shouldn’t need to store anything. It all goes through your phone.
"Many car manufacturers are selling car owners’ data to advertisers as a revenue boosting tactic, according to earlier reporting by Recorded Future News. "
So yeah at least some of them collecting it are then selling it
Their citation for that is their own article, which doesn’t mention anything about selling data from phones, but does talk about cars generating upwards of 25GB per hour of raw telemetry data. Again, mostly uncited.
The point of that line is to drive intra-site clicks and mislead you into getting more upset and drive the ever important “engagement”. Unfortunately a common theme in modern media.
The article specifically mentions this which implies that it’s stored on the car.
Berla’s software makes it impossible for vehicle owners to access their communications and call logs but does provide law enforcement with access
But it’s immediately followed up with
Many car manufacturers are selling car owners’ data to advertisers as a revenue boosting tactic
Pretty much all new cars being sold today, most cars in the last 5 years, and a large percentage of cars sold in the last 10 all have some sort of cellular modem that reports back to home base with all sorts of info, then they turn around and sell it. GM has been doing this for 20+ years at this point with on star which is included in almost every car they’ve made.
Sure, but from what I’m seeing, the article wasn’t about them selling it. It was about them storing it, which only happens after you plug your phone in and agree to their terms.
therecord.media
Hot