You see, Scannell is a security guy. And, while Scannell thought these features of the Car-Net system in his new Volkswagen Golf were pretty neat, for him the system was a lot more than the “partner” that VW advertises. But he’s been in privacy for years. In fact, it’s literally his job — he’s an adviser for security start-ups. And he knows all too well how simple it is to hack into a system with an open internet connection. For him, Car-Net wasn’t a helper. It was an opening for companies to spy on him. For a hacker to take control over his steering wheel. To find himself in a potentially dangerous situation.
It’s a reality that is present in basically every single new car that hits the market these days. Our cars are all waking up and coming online. The companies that manufacture them are filling each one full of hundreds of sensors that capture endless amounts of data about us and how we drive. It’s the last bastion of consumer information.
And just like your mobile phone, which has been spying on you for years, your car is not your friend.
Your car forgets nothing
Unfortunately for Scannell — and all car owners, for that matter — disabling systems like Car-Net is no easy task. Sitting in his brand new car at the dealership, watching the system’s light flashing (even though he never asked for it to be enabled) Scannell was concerned. And then he started reading the manual. He soon decided: The system had to go.
“[Car-Net] is this two way microphone into your entire life. You never know when it’s on or off. Your life is not your own,” he says. “At this point my concern is about control. And who controls what. Do I believe VW would shut my car off while I'm driving? No. Do I believe there’s potential, just because it’s America and things are weird... that someone [could] decide to shut my car off? Yes.”
And his fear doesn’t come out of nowhere. Hackers have already proven that they’re capable of this feat. Last year, Manchester-based NCC Group told the BBC that they had found a way to take control of a car’s brakes and a variety of its systems through the car’s radio. In fact, they said, it would even be possible for them to take control of several cars at once using the same technique. All it would take was one stream of code to infiltrate a weakness in the system.
“I don’t think I should have to worry about these things,” Scannell says. “I’m a great believer in privacy, but I’m not a privacy nut. I didn’t want this thing activated. It was important to me that it not be activated.”
The insidious part of these systems is that their potential to do harm isn’t as big or scary as a stranger taking over control of your wheel. It’s the smaller, less obvious forms of data collection and tracking that are starting to make privacy experts very nervous.
Ever since General Motors introduced the OnStar telematics system in 1995, car makers have been busy filling vehicles with a whole slew of devices that track, sense, and communicate. Most new cars are equipped with about 100 electronic actuators that are distributed throughout the vehicle’s various systems. It’s their job to notice what’s happening in the steering wheel, the throttle, and the brakes. They sense weight on the seats and they keep track of how fast the car is going. Then they log all this data, store it, and send it back to the manufacturer.
The dealership or the manufacturer will then use this data for a variety of purposes. The main reasons — at least the ones that they share publicly — are to assist the vehicle's owner with car maintenance and protect their safety. Hit a certain number of miles on your odometer? Your car will let you know it’s time for an oil change. System notices your brake rotors have started to wear down? Your car will tell you it’s time for a fix. In 2009 OnStar introduced Stolen Vehicle Slowdown, a feature that allows the company to remotely manipulate a moving vehicle's throttle response, gradually cutting the power. The company touted the feature — which is part of a security suite that includes a remote engine ignition blocker and a theft-alarm notification function — as a way to safely disable a stolen vehicle that was in sight of law enforcement, thereby ending a high-speed chase before it started. But to privacy experts, it was further proof that telematics systems could override every vehicle control short of the steering wheel. And if an OnStar operator could do it, they feared, couldn’t a hacker?
Beyond the actuators, there’s data collection going on in the OnStar and Car-Net-like systems as well. These devices have microphones and video cameras. The on-board entertainment and navigation systems keep track of what music you’re listening to and where you physically go in your car.
In fact, in the US, there’s a federally mandated “black box” — an elusive device known officially as an Event Data Recorder, or EDR — that has been installed in every new car since 2014. It logs much of this data, like whether or not you’re wearing your seatbelt, for use in law enforcement and post-accident assessment. There is basically no aspect of the driving experience that can’t be measured, quantified, and logged.
“It’s the field of dreams approach to privacy and surveillance,” says Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, a non-profit organisation that is dedicated to protecting civil rights in the digital world. “If there are sensors in cars collecting data that pertain to what people are doing then there will be a law enforcement interest. We start there. But we recognise that it’s all of the companies, whether car vendors or third party vendors, that also have a lot of use for that data. It’s the car analogue to data on the internet. You go to Facebook and they’re sucking in data. Google — they’re sucking in data. If you build it, they will come.”
No easy way out
After being met with blank stares and shrugs by salesmen at the VW dealership when Scannell asked if his Car-Net system was running or not, he ultimately decided the best bet would be to try and get it removed. And, because he’s tech guy, he turned to the Internet to see if anyone had attempted the task on their own. Car-Net, he found, was a lot more than just a little module that could be yanked out. In an online forum for Golf owners, he found someone who had tried to remove the system.
A step-by-step photo essay on the forum shows user “shoku” dismantling their entire dashboard and finally teasing out the Car-Net box, which is marked with a label that notes opening the box voids the warranty. “Inside we find a pretty dense multi-layer circuit board. Compared to my Nexus 5 cell phone, it has way more components,” shoku writes. “Under the board is a loose plastic bit with some terminals. Definitely the cell antenna. Just removing the antenna did not disable the communications. It was able to connect as if nothing was wrong, even after I tried shorting the leads together.”
This is the part that Scannell says is the most concerning. Even when the system’s antenna was physically disconnected, the car was still online. He says that buried deep in the dashboard is Verizon cell phone 3G hardware that's always on. "Whether you’ve provisioned it or not,” he says. “You can still wirelessly connect to the car.”
According to Dorothy Glancy, a professor of law at Santa Clara Law School, and a nationally known expert on transportation and privacy security law, all of this data collection and wireless connectivity is perfectly legal. “The government isn’t doing anything about this,” she says. There are few laws that protect the privacy of the information that you generate inside your car. The only real auto-related privacy protections the US federal government affords are for the records held by the Department of Motor Vehicles.
And this has some nerve-wracking implications for consumer protection that go beyond a little snooping. For example, US-based Progressive Insurance recently introduced Snapshot, a biscuit-sized device that plugs into a car’s standard onboard diagnostics port. During the sample period (usually at least 75 days), the module tracks vehicle speed, time of day and location — thanks to integrated GPS, included “for research and development purposes“. The module uses this data to extrapolate acceleration rates and braking force. (The device actually beeps during hard braking, to evoke a sort of Pavlovian response to “bad” driving.) The company then provides all the data in a handy, easy-to-access online page on your Progressive account. Progressive says voluntary use of the device will allow the user to “get a personalised car insurance rate based on how you drive.”
And Progressive isn’t the only US insurance company that has started providing this service. Allstate also has a similar device called Drivewise, Nationwide has SmartRide, and StateFarm has DriveSafe and Save, which actually collects its data through customers’ pre-existing OnStar systems. Glancy says that, while these services are elective, it’s not completely clear what exactly insurance companies are doing with all the information they’re gathering. “I’ve been concerned about this being misleading to consumers,” she says. And because there are no laws to protect consumer privacy in this arena, she continued, it would be very difficult to use legal measures to reveal how the data is being processed.
A spokesperson for Progressive says they try to be clear about how they manage data, but that policy is not necessarily the norm industry-wide. According to Progressive’s terms of service, the company says they don't use the data to resolve an insurance claim unless you ask them to. Though they do say they will share it in response to a legal subpoena, or “to a state department of insurance to support renewal rates, to service providers who are contractually required to maintain its confidentiality; and/or as otherwise required by law.” Lastly, the terms of service do state they share non-identifiable forms of the data “more broadly” — “de-personalising the data means that we remove personally identifiable information so that the data cannot be associated with a particular driver or policyholder.”
Allstate, on the other hand, has been pretty boisterous in its excitement about the possibility of monetising consumer data. To incentivise their Drivewise program, they give customers rewards points just for enrolling. And then, as they use the device, customers earn additional points towards rewards like merchandise and gift cards. In May last year, according to a Bloomberg story, the company’s CEO Tom Wilson, while speaking at a conference in New York, noted several companies that are currently making money by collecting their customer’s data: “Could we, should we, sell this information we get from people driving around to various people and capture some additional profit source, and perhaps give a better value proposition to our customers? … It’s a long-term game,” he said.
In fact, both Glancy and the EFF’s Tien agree that marketing companies are desperate to get inside your vehicle and figure out what the heck you do there. For generations, the only way marketers have been able to get at us in our cars have been passively, through billboards or radio ads.
Being in the car, says Tien, “it’s alone time. Whether I sneeze or fart or yell, it’s very private in a weird way. From a marketer's perspective they’re really curious. They want to know. It’s an area they haven’t been able to get much data on. Now that [data is] going to be available and it completes the profiling. It’s one of the last frontiers for areas where you can get data about people.” The incentives to spy on people, he says, are very strong.
Drive carefully — marketers are watching
When Scannell decided he didn’t want to void his warranty by tearing out Car-Net on his own, he turned to Volkswagen to help him deal with the device. After what he calls a “Terry Gilliam Brazil-like” experience of being told the system would need to be turned on before it could be disabled, the company eventually said removing the system would be impossible. In a letter sent to him by their CARE customer service division, the Region Case Manager wrote: “Volkswagen is unable to meet your request to remove the Car-Net system or module from your vehicle. Doing this would void certain warranties and may interfere with some safety features on your Golf, such as the immobilizer system.”
According to Tien, safety is always going to be at odds with consumer privacy and protection when it comes to manufacturers. “Pretty much everything we want socially we can get without having to give up privacy. But it’s very easy to not protect privacy. The only people who care are ordinary people. Because neither the companies nor the government really care very much. They may pay lip service to it, but it’s always going to be overwritten by safety, or collision avoidance, or emissions standards. All these grand good things,” he says.
How customer privacy is treated varies. According to Glancy, the German car manufacturers avoided installing the black box tracking devices into their cars for years. And Ford, meanwhile, recently created a program called the Driver Behaviour Project in the UK. That project would provide drivers with a plug-in device much like the Progressive Snapshot, that would assign drivers a personal score based on their driving behavior. And Ford says that they believe customers own their own data.
According to Don Butler, Ford’s executive director of Connected Vehicles and Services, respecting people’s privacy in their cars preserves their trust in the company. And there are few things more important for a car brand then to ensure that their customers trust them. “I want to be very, very clear that we don’t track customers. We value and treasure the data on behalf of the customer,” he says. Ford has set up an internal council that makes policy recommendations and decisions throughout the company to ensure the protection of privacy.
That said, this January Ford announced it had entered into a partnership with Amazon to allow its drivers to connect to their cars and Ford’s technology through the cloud. This new feature effectively turns the car into an Amazon Echo on wheels. The Echo is an always-on device that has already sparked huge privacy concerns as it sits in your living room quietly and passively listening for you to give it a command. And now it will quietly listen to you in your car as well.
As our vehicles become more and more automated, that sense of trust and security Ford is attempting to cultivate will become even more important. After all, if humans hand their control over their vehicles to self-driving cars, then manufacturers will be responsible for individual lives on a level they never have before.
In the end, Scannell says he never got any sort of positive resolution with VW. “There’s no where I can go with this,” he says. “We get to drive our VW Golf SportWagen [and hope that] someone doesn’t shut it off on us. We are not given legal recourse. There’s no remedy for us to have control over our vehicle.”
Volkswagen, however, says that Scannell wasn’t given the full story by the CARE letter he received. According to Frank Weith, General Manager of Connected Services at Volkswagen Group of America, “What the letter doesn't outline is that we do have the capability to completely sever the connection from the car to the cellular network. The customer would have to bring their vehicle to the dealer where it would be put into 'flight mode'. The result is the same as if the module were removed from the vehicle. This can only be done at the dealer.”
Once this “flight mode” is enabled the Car-Net system, he says, effectively becomes a “brick in the car” and the dealer will also perform a test to ensure that the vehicle is not capable of sending or receiving information.
In some ways, it's consumers themselves that can partly take on blame for this state of affairs. Much like what happened with our phones and location tracking, people “see what the want to see,” says the EFF’s Tien. “It’s a lack of imagination — or lack of technical literacy. People are used to things being a certain way. When things get upgraded their expectations tend to stay with them even when [devices] are evolving under their noses. As long as it gives them what they want to get out of it the idea that it’s capturing information doesn’t seem terrible.”
That means ultimately it will be up to consumers to demand privacy from manufacturers before they will give up access to our data, because there’s no incentive for them to do otherwise — especially when only security experts like Scannell are the types of consumers that are calling for it.
“Some manufacturers may be more friendly to your privacy than others,” says Glancy. “But we ought to have more friendly cars. The car shouldn’t be a rat or an adversary. It’s supposed to be a tool for us to have personal mobility. But it’s kind of turned on us in odd ways.”
And, while it may feel like Volkswagen is the bad guy of this story, they’re not even close to being the only car manufacturer that has equipped their vehicles with on-board systems that send and receive data. BMW, Mercedes-Benz, Audi, Lexus, Toyota, Nissan, Infiniti, Honda, Acura, Mini, Hyundai, and Chrysler/Dodge/Jeep cars all come with their own versions of Car-Net. And, of course, every single new car that hits the road is federally mandated in the US to have a little black box.
These snooping systems aren’t going to get less intrusive over time. Unless, of course, consumers start calling for privacy. As Scannell’s example clearly highlights, even though the manufacturers may be building in an off-switch, the consumer desire to protect their own privacy is so low that even knowledge of the switch’s existence appears to have been a mystery to the dealer, the customer service team, and the technicians they consulted with. Only Weith, a top executive at the company, managed to have a solution to Scannell’s problem. It’s likely that wouldn’t have been the case if more customers had been asking to have their Car-Net systems disabled.
Once cars become fully driverless they will rely entirely on their outgoing and incoming data connection to function properly. And that means we are currently laying the groundwork for what the future of privacy in our cars will look like. If people actually do care about protecting themselves from manufacturers and marketers that want to watch their every vehicular move, the time to speak up is now. Otherwise it could very, very quickly become too late.
By Erin Biba