FTFY
Users opt in to share information blindly click through the important bits so they can play with Android Auto
Google has flatly denied that its Android Auto car dashboard software slurps too much information from vehicle engines. It was earlier claimed that Porsche snubbed the system because it was shocked by the alleged data gobble. Google convinced many automotive manufacturers to use Android Auto for their in-car entertainment and …
Someone really needs to teach The Register about the art and craft of non-denial denials. They have fallen for Google's response hook line and sinker. What Google's statement actually said was:
"We take privacy very seriously and do not collect the data the Motor Trend article claims such as throttle position, oil temp, and coolant temp. Users opt in to share information with Android Auto that improves their experience, so the system can be hands-free when in drive and provide more accurate navigation through the car’s GPS."
Years ago I worked in a corporate PR department and I can guarantee you every nuance and clause of that statement will have been considered by lawyers. From a company like Google, you can *always* analyse such statements as a careful exercise in deliberation.
1st They have said "The" data, definite article. Which means anything that doesn't quite match the Motor Trends article, even if largely overlapping does not count. Secondly, saying "such as" makes it sound like they are talking about all general cases, when coming after the definite article, it isn't saying they don't collect each of those things in any combination, but only that they are examples of the kind of data in the definite set of which they are not collecting. A very, subtle but important distinction.
2nd and more importantly, the statement "users can opt in to share information" is a non specific way of indicating data collection practice is modified by user choice and is compatible with them in fact collection of the data after that point. The fact you have to opt in for Android Auto to become useful is then the salient point.
Contrast with "we do not collect any of the data the Motor Trends article says we do." Shorter, clearer, almost certainly not said for the reasons given!
Some PR departments are very good at mis-direction. My wife recently had a battle with a small Commercial Gas/Electric/Internet company who conned her into a contract. During the process of getting the contract annulled, they sent some very interesting letters which when you calmed down and read them said quite a bit which they probably didn't want to!
Needless to say, any response from a company is now read and dissected to find out what they 'really' mean.
Yes when you learn to spot them they stand out.
One very clear instance just recently was Cameron's response to Andrew Marr on the Ashcroft Story. He just referred Marr to an earlier "clear statement addressing this" which was actually a carefully crafted non-denial denial statement, thus he tried to give the impression he had addressed it, when he hadn't ! The non-denial denial playbook. Except he did it quite badly, and needed to appear irritated as though "look I've gone to the trouble of issuing a full statement and you're still asking me, just do your job properly man and read the statement" That would have worked a bit better. Instead he looked a little sheepish.
The other person who used the same tactic (actually more effectively at the time) was a certain lib dem who ended up in prison for passing off his speeding ticket as his wife's.
The original article of defence by Porsche didn't stack up at all though. The data Porsche were talking about is already available (by law) through the OBD port. Therefore all their 'super secrets' could be gained by just hiring or borrowing the car for the weekend and collecting the data, as Porsche already knows.
Google has enough cash to buy a number of the cars and dissect them if they really wanted more data on the way they operate as well Porsche knows.
Porsche also know that Google are unlikely to be creating a 'competing' car to Porsche, especially one that they would need the OBD data to produce.
There is very little also that Google could gain from the OBD interface that is *that* private to an individual, over and above what is already collected anyway. Android, Microsoft and Apple all use location services that can track you current location and can already detect your current speed using the phone itself - unless you disable the GPS and location services, but I'm sure most people wouldn't. Therefore the fear is that the data from Google could be used in the event of an accident for Police evidence, however most of this data is already stored by high end manufacturers in a black box in the car which can be accessed by the manufacturer.
OBD data is also very useful for an integrated device to have. If you've ever connected bluetooth OBD adapter to your phone and run Torque for instance, the displays and data you can retrieve are great (as well as having some useful diagnostics).
So the best point is about security and the issue with malware - however many cars have already shown this to be vulnerable recently via the infotainment already installed. At least it would be possible to disconnect the phone if this issue was discovered with Android Auto or Apple's car play and received an OTA update - something you can't normally do with a normal system.
I suspect that this is just some deal with Apple, that included some push by someone to leak a statement about data privacy as Apple seem to be trying to make a comment about this every opportunity now (similar to how Microsoft did previously with their scroogled campaign). Either Porsche or the magazine has been dragged along into as well.
We have a friend from university who created a company that makes and sells new engine chips for hot Honda hatches that makes the full range of the V-Tech engine available. He did it by reverse engineering the standard chip from a bought Honda.
They have since helped out the Honda racing team and now get the necessary info from Honda. But the point is that even without modern buses such things can be had if you are determined enough.
"Therefore all their 'super secrets' could be gained by just hiring or borrowing the car for the weekend
and collecting the data, as Porsche already knows."
The problem is that the 'data' is meaningless gibberish until you put a lot of effort into test samples while the doors/bonnet/boot are open/closed, driving at low/medium/high speed, with high/low revs, indicators on/off, etc/etc/etc/etc.
Having lots of data collected over a weekend is fun, but it won't tell you 'all the secrets'.
Also 'all the secrets' are very much dependent on the manufacturer and change between models, and even revisions of the same car...
"Someone really needs to teach The Register about the art and craft of non-denial denials."
I just find it curious the totally different style of writing. If it was specifically Apple doing this, the story angle would be ridiculous hyperbole about how the world was ending and how it was all Apple's fault with a negative spin on literally anything at all, no matter how insignificant.
"I just find it curious the totally different style of writing. If it was specifically Apple doing this, the story angle would be ridiculous hyperbole about how the world was ending and how it was all Apple's fault with a negative spin on literally anything at all, no matter how insignificant."
No it wouldn't, because Apple don't send The Register statements at all, bullshit ones or not.
Oh please. In the article about Apple and Ferrari the other day, there wasn't paragraph after paragraph about how Apple *could* be hacking the cars and *might* be able to do this and the option *exists* for them to do that.
I really hate it when the iFans manufacture reasons to get offended.
The key here is that Google would be collecting it from millions of cars eventually. They aren't going to convince millions of people to connect a doo-dad to their ODB II port, then download the data off it to Google.
That sort of data has more value the more of it you have. Porsche doesn't want to just hand it over to Google and potentially advantage them.
Bah, no corporate PR or not.
For a start the statement you've said is shorter and clearer and not given for reasons of evil also contains the term "The Data".
If you read the first part of the google statement it basically states exactly the same as you've said "do not collect the data the Motor Trend article claims" they then use "such as" and give examples. Your clearer shorter statement claims exactly the same thing just doesn't have the examples attached. Providing a subset of examples in no way legally limits the initial statement.
Secondly the opt in statement is written such that it clearly doesn't provide a get out clause to the first one. "Users opt in to share information with Android Auto that improves their experience" in no way trumps "we do not collect".
The nuance here is the word "collect". I think what Google want to allow is the information to go to the "phone" so that it can be used for fancy displays and other apps, eco-driving-assist app for instance. When Google says they don't "collect" that normally means that even if they've got it it will not be sent to the cloud and won't be saved on any database.
Thirdly, the phone has got my GPS location, my contacts, the data of all my texts, emails and phone calls, and a run down of my awful taste in music. Why the hell should I care if they know what my oil temperature is, I can think of plenty of reasons why I might want them to know.
This is all about Porsche being scared of competition, nothing else. However then despite that wariness they've been blinded by the shiny and trusted Apple instead. Flids.
CAN packets are prioritised, meaning it is possible to completely DOS a bus through sending high priority messages - that will never allow low priority messages to get through. There is no "fairness" policy etc.
You certainly separate the engine control stuff from the body electronics. Any bridging between these is done with a gateway of sorts (think firewall). This limits what data can flow between the buses as well as the rate packets can be sent.
Even when you attach diagnostics (OBD2 etc) that will be via the bridge preventing the diagnostics tools from trashing the engine bus.
It is also very common for the different buses to have both different bit rates and signalling levels. There is no point in having high speed CAN buses (1M etc) for opening doors, switching on lights etc etc. There is good reason to have high speed in the engine to reduce latency.
So where does a Google device sit on the bus(es)? Clearly not on the engine bus. Most vendors would only allow it to be attached to a dedicated bus so that the bridging can be managed into the rest of the vehicle.
Nothing new to this - that's how CAN buses have been set up "forever".
That sounds sensible. But what happened with Jeep's hacking via entertainment system? Seems someone was not thinking security through at all.
As I have commentarded before, its time that in-car hardware and software was audited for this sort of thing and the results published ncap-style so you can choose to avoid dumb/misled designer's results.
"Perhaps the audio systems are controlled without CAN bus access: the dashboard could connect the phone to the radio and speakers via a separate media-only network"
If any carmaker is integrating digital entertainment systems (especially internet-enabled ones) and car controls, I would like to know who that is so I can forever shun them.
"You certainly separate the engine control stuff from the body electronics. Any bridging between these is done with a gateway of sorts (think firewall). "
I would jolly well hope that this is the way that things are done, but is there a way to know for sure? Car brochures are full of glossy fantasies, and I bet if you ask a dealer if the vehicle's primary CA bus is internet-accessible, you'll get in reply either a blank stare, or an enthusiastic yes because they don't have a clue what a CAN bus is and why it's a terrible idea for it to be internet-connected.
If any carmaker is integrating digital entertainment systems (especially internet-enabled ones) and car controls, I would like to know who that is so I can forever shun them.
It's exactly what Jeep did. The 'infotainment' system needs signals from the CANbus for stuff like switching to the rear camera when reverse gear is engaged, blocking video playback if the handbrake isn't on, etc. The entertainment part was supposed to be firewalled off from the main bus, and only able to receive such data, but the hackers found a bug in the phone system that allowed them to remotely rewrite the firmware in the infotainment system so that it could effectively become a bus master. Job done...
Even a CANbus-USB bridge of the sort described in the article is potentially open to such an attack, if there are bugs in the USB-side firmware.
that Porsche choosing iOS had nothing to do with data collection, and more to do with brand. Lets not forget that Porsche is a premium brand and that Apple is seen as a premium brand, at a guess I'd say that the majority or Porsche drivers (as in new ones, not second hand) are probably iPhone users as well.
Any connection questions aimed at Android can be also be aimed at Apple. They will, after all, connect to the same system.
The problem is, the car will probably be around in 20 or 30 years time. How many people will still be using a 2015 iPhone or Android device that can still connect to the iOS or Android head unit?
It needs a simple, open standard that just channels the input and output and works with any device.
Perhaps the cars compatible with Android Auto have compartmentalized CAN buses so the audio system is blocked by a gateway from the engine control hardware – although reprogramming controllers on the bus to bypass these defenses is possible.
Are you kidding me? That would require a level of security awareness and defensive programming which you are not likely to find in an embedded software and hardware engineers in consumer (and vehicle) electronics space.
They take pride in how much cr*p one can shovel to run in real time on one measly CPU instead of separating functions onto a couple of units and thus reducing the complexity. The end result is stupidities like a 50K car allowing you to program new keys with a 20£ gadget despite the fact that the alarm is activated and the car is supposedly in lock-out mode (hello BMW) and in more recent days connecting an unprotected fully opened CANbus implementation to the Internet with no security whatsoever (hello Crysler-Fiat).
It is not that difficult to do a CAN to CAN translation and/or forego CAN as presentation on the USB altogether and lock-down the CAN in the USB-to-CAN controller (the car providing to the stereo USB presentation, not CAN as we know it). However, you are more likely to make all 3 faiths coexist peacefully on the Temple mound first before you make an automotive engineer design and implement this correctly as a security measure against an attack coming from the infotainment unit.
"Users opt in to share information with Android Auto that improves their experience," - so it sees I drive fast so it pops up quality ads saying I should buy a Porsche. Coolant running hot? I should consider a holiday to Sweden to keep my engine oil cool, maybe ordering through a Google advert ?
As an aside, you can get bluetooth ODBC-II dongles and there are plenty of Playstore apps to read everything. I can't see why Porsche are complaining since I can stick my phone on the window, plug in a bluetooth ODBC dongle and read speed, revs, temperature without their sayso or indeed knowledge.
As an aside, you can get bluetooth ODBC-II dongles and there are plenty of Playstore apps to read everything
True- but you are unlikely to upload all the data to a central database to let people search, for instance, to prove from parking sensor data that all Porsche drivers really do drive so close to the car in front that it counts as automotive buggery...
"but you are unlikely to upload all the data to a central database"
To actually use the ODB-II dongle, you need an app. Have you looked in the app stores how many of such apps are popular there? There are a few with *many* installs. And by that I mean several hundred thousands.
Plenty of means to create that database, I'd say!
... until I'm sure the systems are secure enough to avoid any bad interactions. Also, I'm interested to see how long they take to become obsolete - has it already happened for smartTVs. Having an integration that stops to work within two-three years is not acceptable.
Apparently these connectors are designed for infrequent use, as in when they are serviced and tested. Frequent connection/disconnection is likely to fatigue failure.
Anybody who finds the OBD2 information interesting as they drive down the road needs to get a life, beyond its novelty value, it ain't that useful unless you are sufficiently trained to understand what is being displayed. I think it is Nissan which has displays of "interesting" data available, once the novelty value has worn off, they are rarely looked at.
As far as Porsche choosing to go with Apple, well Porsche is part of VAG. VAG always needs alternative suppliers and they are traded off against each other.
"the German automaker wasn't happy handing over these diagnostics to a company that is potentially a rival"
...Apple who are not over-collecting data. Carplay is only interested in if the car is moving or not so that it can restrict the controls to force the driver to focus on driving. It's not siphoning off all kinds of telemetry such as speed which could be used to convict you or push up the price of your insurance premium for example.
So next time one installs a new flashlight app from Google Play it will now inform users it needs to access
- Engine data
- Gearbox data
- Other vehicle data
- Vehicle control module configuration and settings
This except from access to ALL data present on the phone which is by default required by any app from Play Store in order to run.
For the record, New York State shares ALL the info on your ECU with Auto Insurers and the Tax Department.
Why, because NYS MONETIZED THE DATA and gets PAID for it by the insurers or through increased tax revenue.
Every car that has a required annual Vehicle Inspection and an OBDII port, sends the contents of the ECU to Albany.
That includes mileage, highest speed and acceleration/deceleration among other things like if the ECU has been re-programmed for better speed, lower economy Air/Fuel ratios etc.
You give up the right to keep that data private when you get a liscence.
And you think Google is bad.
"It's not as if Google have form on over-collecting data.*
*Except the occasional "one rogue engineer""
So it's Big G 1, VAG 2 at least then, according to the latest arse covering statements from their senior management.
Just waiting for the engineering department to use the Eichmann defence.
Pass me some more popcorn.
But I have to ask, just how relevant is some of this 'super secret' information that may or may not be collected? I can see how throttle position and vehicle speed and RPMs could be used to determine (somewhat) if a person is racing their car, or (indirectly) possibly breaking traffic laws when combined with GPS, if analyzed to death, and if the data could be matched to a user ID.
But what mayhem is Google or anyone going to do with data such as oil temperature or pressure? Determine that someone doesn't like to warm up their car before they get on the highway? Market oil changes? Determine that you're a bad person because you have premature engine wear or aren't driving "green"? How in creation is any of it going to benefit a "automotive competitor" that has dimwitted self-driving cars that putz around town slowly like ants carrying bread crumbs on a sidewalk?
I realize that having an open avenue for data to be exchanged with a car's systems by an Internet-connected device is a very bad idea, and could lead to all kinds of unpleasant exploits. But that doesn't seem to be the point of this decision. Though while we're on the subject, what data is marketing king Apple secretly gobbling with even less openness? I really just suspect that Porsche 'drank the Kool-aid" and caved because iStuff is perceived as being more hip among the pretentious set, and most people that buy Porsches are likely to have an iPhone. Not because they respect the performance of Porsche or its racing heritage, or that iPhones are better in any meaningful way functionally, but "ooh, shiny!"
Realistically, is either company less scummy with your demographic data? What are cars that boast built-in 4G connectivity without using a phone blasting back to home base about your driving habits, location, and other data? If you want to go in that direction, GM's integrated "OnStar" system, which preceded all other systems of this type, is probably the spymaster of the bunch.