Hacker News new | past | comments | ask | show | jobs | submit login
OnStar Begins Spying On Customers’ GPS Location For Profit (zdziarski.com)
264 points by jzdziarski on Sept 20, 2011 | hide | past | web | favorite | 92 comments

If OnStar is collecting data after you cancel service, I would think that they've made themselves liable to "duty to rescue" if they observe you getting into a wreck.

If they aren't doing this -- that is, if they are observing and ignoring wrecks -- then I hope that someone starts a class action.


"In the United States, as of 2009 ten states had laws on the books requiring that people at least notify law enforcement of and/or seek aid for strangers in peril..."

Be careful with using Wikipedia for law. If you follow to the original source[1], the "duty to rescue" law exists in most states as a duty to report rape and murder, not a duty to report car crashes. And the penalty in some states is as low as $100.

Second, even if the law were as you said it was, a class action would only be appropriate among people who have actually been in wrecks after the most recent change in terms and conditions --- people who have not crashed have suffered no harm from the alleged policy.

The short version is that Wikipedia is notoriously bad about law because it is largely written by non-lawyers; often it describes the law as Wiki editors _want_ it to be, rather than how it _is_.

[1] Usefully condensed here: http://volokh.com/2009/11/03/duty-to-rescuereport-statutes/

Of course, you're right and IANAL. Indeed, the quote I chose to include was from the "special circumstances" section, it may only apply to 10 states, and there are special requirements. Also, you are correct that a class would only include victims of wrecks whose OnStar systems were cancelled but active (and possibly any other people affected by the wreck -- e.g. the people in the other car).

Nevertheless, it seems unethical for OnStar to profit off human suffering when they are in a position to assist -- I suspect their crash statistics are among the most profitable data they collect.

it is largely written by non-lawyers; often it describes the law as Wiki editors _want_ it to be, rather than how it _is_

True, but lawyers do that too at times.

You might want to tell that to the DoJ.

They seems to have no issue broadly interpreting laws.

you're right about the duty to rescue, however having been involved with OnStar's systems sometime ago I will tell you what they will say. "While we still collect data on your driving habits, information is not monitored it is collected and stored and analyzed later. We are not currently equipped to monitor the millions of vehicles that are currently equipped OnStar that are not subscribers." But I'm sure everyone on this forum knows it would not take much modification to have accidents set off an alarm in their monitoring system. This way only when an accident happens would you be notified. But the liability reasons I'm sure they will not want to open up that can of worms.

"Yes, your Honor. My eyelids were open and my eyeballs were receiving light reflected off the victim, but my pre-frontal cortex was not paying attention to the input at the time. Therefore, you must find me not guilty."

IANAL, IANAD, but the "collecting data without analyzing data" argument still seems pretty flimsy.

For context: GPS navigation device manufacturer TomTom sold anonymized traffic data to the Dutch police this year, police used data for setting up targeted speed traps.


I would think this isn't limited to in-vehicle hardware like OnStar, but rather it seems applicable to smartphones too. That smartphone in your pocket is moving just as fast as your car and could just as easily be used to gather such data. Perhaps not as fine grained as the OnStar information (talking coarse vs fine location) but there's certainly enough data casually collected by your dormant smartphone to enable much of the same exploitation.

If you have some time, read "Warrantless location Tracking" 83 N.Y.U.L. Rev. 1324 http://www.law.nyu.edu/ecm_dlv2/groups/public/@nyu_law_websi...

  A common step in police investigations today is to secure a court
  order tracking the movements of a suspect or anyone else whose 
  location the police believe useful. The flip side of this 
  powerful tool, though, is how revealing and intrusive it is. Few 
  people would be comfortable being followed by a police officer 
  all day, even if they did nothing illegal or even interesting. 
  Justice Brandeis once invoked the "right to be let alone,"  and 
  undetectable location tracking pressures the alone part: No one 
  is "let alone" if the police may, without notice or probable 
  cause, find out everywhere they go for a day or a month.
It's a good, if disturbing, read.

Disclaimer: I work for GM, but do not know much about OnStar, especially internals. My reply is purely speculative.

I can't speak as to what OnStar actually does with this data, but I CAN tell you that GM wants to use it as a platform for the best customer service platform in the business.

Imagine that the "marketing" they do with this data is something like selling it to dealerships ("affiliates"); the marketing call being something like "Hi Mr. Smith, we noticed your fuel pump is going bad. You pass by our Main St. service center daily; would you like to schedule an appointment?"

They could also "sell" that data to GM engineering, to make future (or current, through controls software updates) products better.

You pass by our Main St. service center daily; would you like to schedule an appointment?

you don't think that would freak most people out?

The possibility of extrapolating your future behavior is even creepier: With a probability of 92% you will pass our Main St. service center between 05:23 to 05:28. We will be waiting for you...

Fair enough; how about "your closest certified service center is on Main Street"?

How about just crippling the car in front of the dealership and guaranteeing the sale?

On the one hand, this comment gave me an epiphany (about how some people think) so thanks for putting this here. One the other hand, I can't wait to have downvotes for comments like yours.

The epiphany is as follows:

1. There are a lot of people with very negative views of corporations roaming around the internet

2. http://en.wikipedia.org/wiki/Confirmation_bias will cause them to view goodhearted actions in a negative light, and genuinely think they're right

3. Therefore an important goal of PR is to include falsification ammunition alongside announcements that are likely to be misunderstood

Less abstract breakdown:

It's pretty clear that most people would prefer a car that instead of just saying "please find someone to fix my xyz" says "please find someone to fix my xyz, and fyi Foo Dealership will likely be the most convenient" -- maybe my friends and I are just lazier than average, but that actually sounds great for me, and I could see several friends really appreciate not having to spend the time picking out a repair shop. This is especially true if they handle figuring out who is certified to do warranty covered repair work.

So GM likely thinks of this sort of application as a small to medium win: GM cars are somewhat less hassle to own, and maybe last a bit longer on average / get a higher average resell value because people are getting things repaired sooner rather than later.

However, because people will think "oh, they're just doing it for the sale" (which they are in this case, just not the one-shot-sale but instead the generations long brand building approach), GM should announce both at the same time, and include a few points that obviously invalidate the fly-by-night opinion -- Do they recommend places based on Yelp reviews + distance? Do they even take money from repair shops when recommending? Do they use wait times and the urgency of the repair as the primary criteria?

Basically if GM included some answers to questions like the above as ammunition, then when journalists / analysts / online message board readers get in to arguments about this question, GM is significantly less likely to come out looking evil.

Actually, it was just a joke. But glad to see you found some enlightenment in the idea.


I understood that your comment was a joke - I was commenting on why you made that joke / in what contexts jokes like yours occur to people... and reasoning about steps that companies could take to make such jokes sound flat.

Well you would rephrase it. You could say, "We conveniently have a service center on Main St." (it knows you leave work at 5) "For your convenience, We're open until 8!"

You can let the customer put 2 and 2 together.

If they want to provide better customer service, stop bugging me. In the past month I have received several emails, at least three letters begging me to subscribe to OnStar and one phone call to my vehicle for the same. If decide I want to subscribe, I will contact them.

I have been pretty happy with my vehicle, but it is stuff like this that makes me wish I was dealing with another company.

That's why you don't give out your e-mail address.

If that was the only rationale than the T&C could call it out specifically, rather than allowing for sale to any third party.

I believe dealerships (or the dealership network) are an entirely different corporate entity.

But still, if you were carving out an exception for this type of thing in the Terms and Conditions, wouldn't you be explicit as possible?

Contracts tend to be as vague as possible when it's in the author's favor, no?

If anyone actually thought OnStar wouldn't be used for that from day 1 they were just fooling themselves.

Now apply that statement to other things we use today that collect a lot of data on us.

This is the wave of the future; sharing data. Unfortunately, the way the model currently works is that our data is collected by others and used by others. We need to define a framework where can establish sovereignty over our data, decide how and with whom we wish to share it, and finally, be able to capture some of the income derived from the use of this data.

I might be OK with OnStar selling my data, if I get a piece of the action. Otherwise, what's the point? My job is not to further enrich these companies after I've purchased their product/service; they are making use of what is currently a free resource, my/yours/our data, and it's high time we started charging them for this privilege. They are essentially capturing economic rent, and it's really my income that they are capturing.

Well, I'm sure they will gladly pay you the few cents that your contributions is worth, after substracting expenses, profit, and dividing between all customers.

It's a free resource only for _them_, because they've already invested what they've invested. For you to get the same "free" resource, you'd have to pretty much make the same investment.

I'm not sure what the data retention laws are in US, but what I'd personally find reasonable would be a mandatory "opt-out" option for all such services. Not opt-in, mind you - there is a host of innovation waiting to happen once such data becomes available, and by far most of it will be positive.

I know for a fact that OnStar provides incriminating information about its users to the police. For example, if you are in a wreck and you sound intoxicated, they will inform the cops. (I've heard police talking about this on scanners).

Given their enthusiasm for ratting out costumers to the authorities, I would be concerned.

Anonymized gps data can be troubling. For example:

If I was an insurance company having to pay a claim. I could buy the GPS data, look at some anonymous GPS device that constantly goes to/fro the house of the person in the accident, followed by noticing that this person was speeding a few miles an hr and denying claims or claiming more responsibility, even if it is not warrented.

The flip side is that it can be a good thing. Funny thing about speed traps though... Guy gets pulled over for speeding 10mph above limit. Claims that hes moving with traffic (60mph). Gets ticket. 10 min later gets pulled over for creating traffic going 50mph, the speed limit, and gets off with a warning after showing the original ticket.

End of the day, this is very tricky, can be good and bad for society. However in the end OnStar is profiting so its not intended to help anyone but OnStar.

Interesting case law here [1] where GPS was used to appeal a speeding ticket conviction.

[1] http://www.csmonitor.com/USA/2009/0911/p02s01-usgn.html

I always find these cases strange given that in court you can overturn a speeding ticket if the police officer can't provide a certificate of calibration for his speed trap device.

To apply the law equally, the driver can't provide a certificate of calibration for his GPS device so legally he's unable to prove that his GPS is giving an accurate speed measurement.

The law is not applied equally in court. By design, defense faces a much lower bar than prosecution. It is perfectly reasonable to require certified calibration to determine guilt, but accept data from an uncalibrated consumer device to overturn a ticket.

(As an aside, I don't think GPS would require any calibration anyway. If I understand it correctly, it'll pretty much either work or not work, with the accuracy of the output determined largely by atmospheric conditions and satellite geometry. The worry here would be deliberate tampering rather than calibration.)

There are other factors that can affect the accuracy of GPS; for example, receivers tend to be significantly less accurate in a CBD with lots of tall buildings. I've also seen receivers with an error before, eg. one that consistently reported itself as being 150m south of where it really was.

But I agree that by far the more significant problem would be deliberate alterations to the data. It doesn't seem like it would be particularly hard to do so...

At which point you're entering the realms of perjury, and probably several flavours of fraud, contempt, and other things that judges tend to dislike.

You're probably better off just paying the ticket.

Agreed, I'm not suggesting it's a particularly compelling option to deliberately falsify data for a court, but it could affect whether or not the court can consider GPS data to be sufficiently accurate - ie. even if the data is legitimate, how can the court know that's the case?

the main reason why you'd be able to overturn a speeding ticket in the first scenario you mentioned, is because the burden is on law enforcement to prove you are breaking the law. It's one of the last few bastions where the intangible burden of proof remains high and squarely placed on law enforcement.

In civil cases, it's not actually all that high. "Preponderence of the evidence" roughly means "it is more likely than not" the case that you are guilty of the alleged offense. "Beyond a reasonable doubt" only comes into play for criminal offenses.

Minor traffic offenses are civil, not criminal, so the much lower preponderence standard applies.

I purposely left it vauge because although minor thraffic offenses are civil (covering most speeding tickets) Other more serious traffic charges can be levied (driving with a suspended license, reckless driving, drunk driving)are considered criminal offenses. However the point remains that the burden in either instance is still in fact on law enforcement or the plaintiff in the civil proceedings most people are familiar with (i.e. johnson v pfizer)I know you know that already, but i just wanted to clarify for anyone else that have been mislead by my earlier post.

This reminded me of a case back in 2003...the 9th Circuit Court of Appeals ruled against the FBI in a case where they were tripping "recovery mode" to surreptitiously monitor drivers under Federal investigation:


The court ruled against the FBI here, apparently not for anything related to privacy, but rather due to the fact that such surveillance could constitute an interruption in emergency services.

Note also that the decision is only binding in states that fall within the 9th Circuit's jurisdiction. (And no clue whether this decision applies also to local law enforcement; would assume that it does, but IANAL/LLE).

This is really not ok, and means I'll never buy any car that has OnStar.

Me either.

Does anyone know if it is hard to physically disable an OnStar system? I don't have a car with OnStar; just curious.

Yes. In the main electric panel under the hood of my 2007 Chevrolet Silverado, pulling fuse 47 (I think, it was labeled "Veh Info ACC" or similar) will cut power to the OnStar module.

Apple and Google are nt the companies you need to worry about. The truly scary ones are companies like Axcion (http://www.acxiom.com/ ). When a company has so much private info on you that only the federal government is allowed to see some of it, and they are gathering this information on every transaction you make, then i think you have to worry.

Not that Google and Apple [and Facebook] couldn't be on their way. I just think they both have competing agendas that will limit how awful they are with the data. People feeling Google and Appke are awful data companies are suffering badly from Familiarity bias.

That is why I would never consider buying a GM car

Then let's talk about Toyota and their black boxes that you can't get into:


Why would Toyota be able to get at this data without physical access? Doesn't look like there's evidence of radio capability, unless I'm missing something...

You don't think other companies are capable of slipping a GPS/3G chip in your vehicle to do the same thing? I don't know what the legality of this would be, but I'm sure they could slide a clause into the pile of documents you sign when buying a car.

The difference with a GM vehicle is that the customer knows the data is being recorded.

I'm not sure what documents from the manufacturer (and consequently the operator of the GPS hardware/database) you're thinking would need to be signed, but the only stuff I signed when I bought my car was from the dealership and the bank.

Sounds like to me they're getting into what TomTom does with their Traffic HD service (think that's what it's called). Cellular modems report location and speed, based on which traffic reports are shared with other navigation units.

First they make you need them, then they make you subservient to them. Has empire building ever been any different, from the 21st century BC to today?

This situation cries out for Congressional oversight.

Careful what you wish for. Once Congress is involved, they might just make it a mandatory safety feature.

It's true that OnStar's TOS is awful, but the author leaps to several inflammatory conclusions that, to me, seem unjustified.

The most obvious one is when he mentions the boilerplate about a part of OnStar being sold, and then theorizes that they are actually planning to sell, perhaps even to one of those great boogeymen, Apple or Google.

There is a theory that you only build weapons that you intend to use, otherwise its a waste of funds. It cost money to put the language into the agreement and someone argued that cost with an offseting revenue. That suggests to me at least that the information will be packaged up and sold.

Now how nefarious will that sale be? That is fairly subjective. But as others have pointed out, if you're carrying around a smart phone you may already be giving more information to folks than you care to. It reads like OnStar wants in on that gravy train.

Companies get sold all the time. Maybe someone at OnStar realized that this is a realistic possibility in the next couple of years. Maybe OnStar wants to found a shell corporation.

I have seen such wording in a number of other TOSes so far, e.g. by Google [1]:

If Google becomes involved in a merger, acquisition, or any form of sale of some or all of its assets, we will ensure the confidentiality of any personal information involved in such transactions and provide notice before personal information is transferred and becomes subject to a different privacy policy.

[1] http://www.google.com/privacy/privacy-policy.html

I agree they get sold all the time, I've been hearing advertisements that I can get OnStar on my non-GM car in the SF Bay Area, so I presume they are expanding their reach.

One of the interesting techniques here is to make this change, get some heat (as they are) but then saying "Hey, its just boilerplate, we're not selling this stuff take a chill pill." And then 6 months or a year later, when everyone has forgotten the ruckus, do start selling the information, except that now since its pre-authorized by the ToS there is no 'lighthouse event' that goes up to alert the public to that fact.

A crusader would now start watching for news about OnStar partnering in six to nine months with someone who could use information about where people are, or where they go.

OnStar is a massive advantage for GM; I can't foresee them ever selling it.

Edited because my slippery thumbs hit submit early.

Re: unjustified -

  After learning that the unnamed system could be remotely
  activated to eavesdrop on conversations after a car was
  reported stolen, the FBI realized it would be useful for 
  "bugging" a vehicle, 
This is from 2004, the "unnamed system" is OnStar and FBI did use it to eavesdrop on someone.

[0] http://news.cnet.com/2100-1029_3-5109435.html?tag=st_util_pr...

Of all the companies to single out as entities you wouldn't want GPS data to be acquired by, Apple and Google are an odd choice.

I mean of all the possible companies that might acquire this GPS data, it's not like Apple or Google already have copious amounts of GPS data on us. Is it?

I can't tell if you're being sarcastic or not. Setting apart the location-based services built into mobile devices, every time you access a service from either Apple or Google you're pinging their server with an IP address that has a certain degree of geolocation. This includes accessing a website using Google Analytics.

Pretty scary that they collect data after you cancel unless you unhook it. What if you buy a used car that had OnStar - how is that legal?

Shutting down the connection is apparently something that they do remotely: it was difficult to ensure the data connection was shut down after canceling. I still have no guarantee OnStar did what they were supposed to

If it were me, I'd pull the fuse or if necessary cut the wires to the transmitter.

"For your comfort, safety and security, OnStar technologies are now being directly integrated into your engine management unit. To ensure your safety even further, all protocols, wiring diagrams, instruction manuals and other materials are encrypted, obfuscated, and welded shut. Thank you for enjoying your OnStar Service!"

I once decided to cut cord to the vanity light in my car (long story why). Even though the car was off I was able to get quick a scare. Lesson, electricity in a car is not off when the key is out. I was close to winning one of those Darwin awards.

The voltage in car circuits is usually 12V, not enough to do you real harm.

Yup, the sparks when you short circuit can be spectacular (the car battery can provide quite a current), but the voltage can't kill you. It would suck if it could - high voltage cables all around you would make accidents very dangerous. The worst that could happen to you is burns from the wires getting hot.

Shorts in a car can generate an awful lot of heat and smoke - within the confined space of a car this can be pretty alarming.

I've been in a passenger in a car that had a short in the facia while driving - the car immediately filled with dense choking smoke and we nearly crashed. Scary stuff. This wasn't recently though - I hope the standards for in-car wiring have improved a lot over the years!

Voltage never kills you, current kills you.

It's the voltage that generates the current and 12V is not enough to generate lethal current in human body.

Um, a car is 12v how did you manage to do anything at all scary? Even if you shorted it all you would do a blow a fuse.

I'm sure they have a way to reactivate it thus still have a connection.

I don't think you understand how fuses work.

I meant if it's a remote deactivation they are doing. They probably keep a way to reactivate it. It would be interesting to know if anyone has tried to cancel and reactivate.

or wire cutters.

C4? Oh wait, you still want the car right?

We'll have to wait and see how legal it is until a lawsuit is brought or outcry online embarrasses the company into action to change it.

Sad that those are the only two things that will get this addressed, but it seems born-into corporate existence to poke and prod at the rules until someone slaps its hand.

from the beginning, too. Shades of "be naughty"

I think the larger issue here, that legislation is not caught up with the digital world. And I don't suspect it will for some time. There is little incentive for companies and governmental agencies from restrictions on what they can or cannot track without a warrant. Law enforcement agencies want easy access to your entire digital footprint and companies want to continue to pilfer that information for profit. Unless sweeping legislation is introduced or broad enough case is brought before the Supreme Court your digital life will remain an open book to anyone with enough money, technology or know-how.

OP's outrage rests on the fact that OnStar claims they are anonymizing the data and he says they are not. Why should I believe him over OnStar? He gave no evidence that they were not anonymizing the data properly, he just assumed they were not.

EDIT: There are other ways to anonymize data than simply removing the name associated with data.

His concern is not that OnStar will fail to remove your name from the GPS location stream. It is that even without a name attached, the subject's identity can be readily inferred from the data itself.

If one looks at a stream of location data over time, and sees the recurrence of a particular location in a residential area, particularly at night, then it can be pretty well surmised that this is your home. And from that, it's a trivial step to get your identity. And bingo, the anonymized data is now re-identified.

There's a simple solution to that: don't give a stream of location data. Chop it up into 5-second fragments, and fuzz the data by a meter or so to prevent re-assembly.

That would still be a very valuable dataset (for me at least), and almost completely free of PII.

Than again, I'm not an expert in these things; am I missing some way that this could be deanonymized?

Adding a meter to the GPS location of where my car starts and stops at the end of each day still tells you where my house is.

Even if you removed any IDs from the data and sufficiently fuzzed the location, speed, and timestamps, you are still left with a heatmap of where cars with OnStar drive most frequently.

In a city, that is probably anonymous. If you are in a rural area or drive along a route where your car makes up the majority of the data points, it still isn't.

I don't think I can explain why GPS data is inherently immune to anonymizing better than the OP. Please re-read that section.

It's impossible to anonymize location data, because location data is actually better at identifying you than your name (unless you have a very uncommon name).

The US census releases anonymized location data.

The U.S. census releases aggregate data. It's not so much anonymized as impersonal. You're right, though, I should have been more specific: it's impossible to anonymize location data, save by aggregating very large, amorphous groups.

the OP explains it all quite clearly - you should reread the post.

But in a nutshell his point is that by its very nature GPS data collected over a constant time period cannot be anonymized. If your car is located >50% of the time in one of two places, chances are one is your home and one is your office. I now know where you live (and thus your identity) and I know where you work.

How do you know they give continuous position on a per car basis? They could break everything up into chunks, or simply give out statistics on average speeds and usage for every road.

Everyone here is assuming anonymize means to remove name but keep everything else intact. I see no indication that this is the case. If there is reason to believe otherwise, point me in that direction.

  for any purpose, at any time, provided that following collection 
  of such location and speed information identifiable to your Vehicle
They store the data tied to your identity. A data breach (quite common these days...) would be a Big Deal. GPS tracks of everywhere you've gone in your car, ever? That's worth quite a bit of money in the right hands.

  He gave no evidence that they were not anonymizing the data properly, 
  he just assumed they were not.
Zipcode, birthday, gender: identifies 87% of Americans[1]. Your (Home,Work) gps tuple? Unique[2][3]. His assumption is quite safe; every "anonymized" dataset that's been released into the public (that I know of) has been de-anonymized. Why would this one be special?

1) http://arstechnica.com/tech-policy/news/2009/09/your-secrets...

2) http://crypto.stanford.edu/~pgolle/papers/commute.pdf

3) http://33bits.org/2009/05/13/your-morning-commute-is-unique-...

EDIT: In response to parent edit and below comments

I have no proof of these, but factoids I believe to be true (so feel free to base a research paper on them :D)

1) To identify commuters: (Highway-Entrance-Location, Average-Highway-Entrance-Time, Highway-Exit-Location, Average-Highway-Exit-Time) -> some derived values: approximate (home,work), average speed, average driving aggression

2) Really, now that I think about it, any dataset where multiple gps tracks (for a single person) are tied together is out. If you can get any single Average-Location-at-Specific-Time data point, (plus point #3 below) you've reduced the unique set to quite small. Then you just stand on that street corner at that time (or, for the police, use the red light cameras...) and you're done.

3) This is an OnStar dataset we're talking about, so you're looking for GMC-manufactured cars, made in the last ~10 years (or whenever onstar started going into cars). I'm willing to bet that just that data point is enough to reduce any other lukewarm/weak de-anonymization to a solid match.

4) Anyone who buys onstar as an option is quite concerned with their safety at all costs (... my bias, I guess, since I consider it a waste of time), so look for e.g. families with small kids or other dependents.

I'm running out of steam for this single comment, but name is certainly not necessary for unique ID. Ongoing research is cracking this stuff wide open. When the netflix dataset came out, who would have thought that movie ratings could uniquely identify a person?

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact