

Nissan Leaf leaks your current position to RSS feed providers - chronomex
http://seattlewireless.net/~casey/?p=97

======
noonespecial
Dammit. Now I need a firewall and a sanitizing html proxy for my car too. May
as well put it behind tor while I'm at it.

Lessee: Iptables redirect of outbound port 80, squid, squidguard with http
request rewriting, onion router with tor...

Das ist mein Car-Tor.

~~~
rainnw
I am having a hard time determining if its the vehicle making the actual
request, or if the request is somehow proxied from the Nissan CARWINGS data
center. If its just the CARWINGS data center, that is probably a really easy
fix.....but if its the car....ugh...

~~~
noonespecial
Only the car can transmit its own gps and heading data. If it gets to the logs
of your own web server, it came from the car somehow or another. If its
glommed on to the request on its way through the CARWINGS datacenter after
arriving there by another protocol, _that's worse_. It means they're hoarding
the data in their cloud and your privacy has never even crossed their minds.

------
prodigal_erik
The moral here is to use X- headers for evil, because people will quickly
notice when you start injecting random stuff into URLs you don't manage.

Actually, current or planned location of the client is a sensible thing to
provide in some standardized header, though of course not without informed
consent.

------
edoloughlin
Not sure about others, but on a 3G network, you're very likely to get a
different IP address for each request. This makes tracking a bit more
difficult, as you'd have to correlate by lat/long. Given that there doesn't
seem to be any sort of uuid in the request and that the requests are likely to
be ~10 minutes apart, I'd think the risk of actually being tracked are quite
low.

~~~
tnorthcutt
Did you click through? It's transmitting lat/long coordinates, not an IP
address.

~~~
bonzoesc
How is the HTTP response getting back if it's not broadcasting an IP address?

~~~
kiiski
I think he meant that the IP address is irrelevant since the coordinates are
sent too.

------
zv
That a feature! Seriously, imagine the possibilities. Yes, privacy is good and
should be protected, however this feature enables many fancy things to be
done.

------
bergie
Maybe the lat/lon URL parameters would be a good thing to standardize on,
actually. Having feeds tailored to your location makes a lot of sense on other
mobile platforms than just cars.

Sending the car ID isn't nice, though.

~~~
StrawberryFrog
Aggregating the speed data is usefull too. e. g. based on lots of location and
speed data, you can tell that traffic on Highway 1 is moving, but on Route B
it isn't; and route incoming cars accordingly.

Or gather data on average speeds and numbers of journeys by time of day for
capacity planning.

It can be used for evil; but there are legitimate uses too. it's a hard
problem to get the data out to _only_ where it can do good.

~~~
StavrosK
That's how Google maps gets real-time traffic info, by monitoring the
movements of phones using it.

~~~
JonoW
How would it know if you're walking or driving?

~~~
djb_hackernews
any number of heuristics.

average speed, location (are you in the middle of a park, or traveling 65MPH
very near to a highway?), ambient noise,etc

------
ahrens
I can't see anything identifying the car or driver? And it only sends it to
RSS-feeds the driver is subscribing too? It should be in the manual, so that
the owner knows it's happening, but I don't see much risk in it as long as the
car isn't identified. It just says "there is a car here, going there". It can
be used for so many great things, like diverting traffic to low volume areas,
alert the driver to accidents and so forth. Be sure to only subscribe to feeds
you trust. We are alreadytracked in so many ways eith our phones and cameras
all over, this doesn't add any huge disadvantage as far a I can see.

~~~
biot
A car that always leaves the same residence at 8:00 AM and arrives at the same
business at 8:35 AM is trivial to correlate with a specific driver. From
there, use your imagination as to how this information can be abused.

~~~
hugh3
Anyone capable of getting access to the database is probably capable of
getting some guys in a car to follow you round all day though, right?

~~~
biot
Why bother following people if you can just pull several years worth of
detailed driving records on thousands of drivers at a time?

~~~
ahrens
It's not without problems, sure we will be more vulnerable to somebody
attacking the datastores keeping these locations. But honestly, so much data
is stored about us already, this is not a bit enough leap to provoke a big
outrage. It's just another piece of the monitoring puzzle, and a small piece
at that. When I check my iPhone for apps using location service, I find ones
that shouldn't need it, like "cut the rope", "dropbox" and "HuffPost". I also
find services that really need my location to add value, like AirBnB and
Tripit. When we start sharing our location, we get access to new services that
can help our lives and we also expose our selves. If you don't think location
services can add value to your life, buy another car and disable location
sharing in your phone. If you do like the services that enhance your life with
location services, enable it and learn to live with the fact that somebody
might be able to figure out your movement habits. It's a tradeoff like
everything in security.

------
maeon3
And after your personal data has been extracted and sold to third parties, you
go into your car to try to disable the lat/long transmitter and you go to jail
because you triggered alarms which notified the authorities you were probably
trying to hack into their systems and extract sensitive copyrighted software.

They have the freedom to track my locations, but I don't have the freedom to
look at the source code that drives me to work.

