back to article It looks like tech-savvy drivers will have to lead connected car data purge

The privacy issues thrown up by connected cars don't seem to be going anywhere soon. Drivers of cars from BMW, Jaguar Land Rover and Mercedes-Benz have reported that previous owners retain unfettered access to the data and controls of connected cars after resale. The problem is international and extends to hire cars due to …

  1. Paul Crawford Silver badge

    "Whether the DVLA would be willing to accept a privacy regulating role that's outside its remit is questionable"

    They don't need to have a regulation role, just to provide a stable and well-documented API that allows the car companies to automatically wipe personal data on ownership change of a given VIN.

    Then make it clear that the car companies are liable under the GDPR and the prospect of being sued a percentage of global turnover will focus their minds magnificently.

    1. John Brown (no body) Silver badge

      "Then make it clear that the car companies are liable under the GDPR and the prospect of being sued a percentage of global turnover will focus their minds magnificently."

      This is the bit that puzzles me with regard to the manufactures attitude. Even after being informed, they continue to collect personally identifiable data via the connected car and allow an unauthorised 3rd party (a previous owner) full and unfettered access to that data. That is an outright and blatant breach of GDPR and the need to be seen to be addressing the issue if they don't want to be fined massively.

  2. Anonymous Coward
    Anonymous Coward

    What about Tesla?

    Aren't they the ultimate connected car?

    This -> https://electrek.co/2018/09/06/tesla-model-3-rental-stolen-key/

    shows that they are just as vunerable as other cars despite what the Tesla Fanboi's like to claim.

    With the car that is supposed to drive the likes of BMW, Audi etc out of business soon to hit these shores this sort of thing will be more and more common.

    Watch out for your insurance premiums to rise by 20%.

  3. Terry 6 Silver badge

    Users?

    consumers also have to get into the habit of removing their data and dissociating their smartphones when they sell on their connected cars.

    FFS Most users struggle to work out how to connect the fucking things and make them work properly. Does anyone realistically think that they'll know how ( or even why) to wipe themselves off?!!!!!!!!!!!!!!

    1. steelpillow Silver badge
      Thumb Down

      Re: Users?

      consumers also have to get into the habit of removing their data and dissociating their smartphones when they sell on their connected cars.

      Indeed not. The manufacturers need to design-in remote access on a secure per-user basis and give their agents the apps to manage it right. But it will probably take class action lawsuits and appeals all the way to the top of the legal system in several countries before either the manufacturers or the regulators in their pockets will give a flying f*ck.

    2. vtcodger Silver badge

      Re: Users?

      I don't think this is as hard as we're making it. All it takes is for a major jurisdiction -- The EU, China, or even just California to require a standard jumper in a standard place -- perhaps next to the OBD/EOBD connector. If the jumper is in place, personal data is retained. If it's not, the vehicle asks when powered on "clear personal data, yes/no?" Until the question is answered, no entertainment system. On rental vehicles the jumper is removed by the cleaning crew and is tossed into the glove box.

  4. Flak

    Finally a good industry use of DVLA data?

    While the outlined use of data may be too late (DVLA is informed after the sale), this would be an infinitely better use of DVLA data than selling it on to the private parking extortionists...

  5. jake Silver badge

    My solution.

    Don't drive anything manufactured after about 1970.

    Seriously, doing a frame-up on an old classic isn't expensive compared to the cost of a new car ... and you wind up with exactly the ride+options that YOU want. If you don't know how to work on cars, LEARN. It's not exactly rocket surgery, and to some of us it's a form of meditation.

    Worried about fscking up your .fav old classic? Start with a VW Bug (Beetle). They are ubiquitous, parts are readily available, and they are easy to worked on with basic tools.

    1. Anonymous Coward
      Anonymous Coward

      Re: My solution.

      And what happens when your old banger is driven off the road by the eco-terrorists?

    2. nematoad Silver badge
      Unhappy

      Re: My solution.

      "Don't drive anything manufactured after about 1970."

      Why on earth pick 1970? My Mini Cooper S is from 1998 and does not have any "connectivity" so why not use a slightly newer car? Having a car as old as you suggest brings its own problems, parts, future regulation and general reliability to name just a few. God knows my Mini gives me enough problems and it's 28 years newer than your choice.

      On a separate note there is one question that has been nagging me. Why all the emphasis on "connected cars"? As a believer in the old Unix adage "Do one thing and do it well", what's the point of having something in a motor vehicle offering so many threat vectors. Surely a car is a means of getting from A to B so why do you need to be "connected"? Is your life so busy and you so important that you need to be available at all times? Speaking for myself the answer is no and no. Indeed I view driving as a chance to remove myself from the demands of others and get on with the task in hand i.e. driving. That in itself is demanding enough without being infotained*.

      * The idiot who coined this little beauty should join the Sirius Cybernetics Corporation up against the wall.

      1. BrownishMonstr

        Re: My solution.

        Why all the emphasis on a connected car? It's the unnatural evolution of cars merging with modern tech.

        To be able to use your phone via the car would be great. Instead of using whatever shite was bundled with the car you could use the entertainment and sat nav on your phone.

        Intelligent transportation systems, would also bpea logical step forward. To determine when the traffic light in front of you will change so you can either slow down enough that you won't have to stop, or you know you'll have to wait a while.

        Without a connected car this and so much more wouldn't be possible.

        1. MachDiamond Silver badge

          Re: My solution.

          I'd much rather use my phone as a phone and the SatNav/infotainment mounted in the car. SatNav on a phone seems to always be festered with tracking and recording whether you want it or not. My stand alone SatNavs that I can pick up super cheap now are very easy to make forget where they have been and don't throw up a message screen while I am trying to navigate through an unfamiliar city. I can even forget my phone or have it off and still get directions.

          I have a couple of iPods for music and books that connect up to the car. I see it as another air gap between my digital stuff and the rest of the world. I even have satellite radio to keep me entertained and informed as I drive.

          1. Anonymous Coward
            Anonymous Coward

            Re: My solution.

            My take is a little different.

            The satnav mounted in my car dashboard has a built in map that's getting increasingly out of date, and the manufacturer would want £70+ to provide a 2GB SD card with an update for it - thanks but no thanks. I could get a stand alone device to do it instead, but I really can't be bothered to fuss about with yet another gadget.

            The main use I make of navigation is traffic avoidance, to keep track of which roads and routes are blocked now, and to find me an alternative which is still clear. Whatever satnav I use will need connectivity to achieve this. It's just easier and cheaper to use my phone for this and ignore the privacy implications.

            Dumb car and smart phone for me - at least I only have one device blabbing my private data to it's manufacturer and marketing partners. That's what works for me, but I wouldn't suggest it's right for everyone. Choice is good, as long as it's *informed* choice.

      2. Fatman Silver badge

        Re: My solution.

        <quote>what's the point of having something in a motor vehicle offering so many threat vectors</quote>

        To meet the demands of Marketing.

    3. GnuTzu Bronze badge

      Re: My solution -- Used Car Shortage

      Anyone want to start predicting used car prices? What will that old Sentry or Accord go for in ten years?

  6. Nano nano

    Clear personal data ?

    Honda CRV has such an option in the Settings menu ...

    1. Tom 35 Silver badge

      Re: Clear personal data ?

      I think all cars have a clear data option, but on some you will never find it without a search or reading the manual. It will be something like settings -> advanced -> other -> more -> more -> data -> clear -> are you sure?

  7. Adelio

    DVLA - why not them

    It would be simple for the DVLA to send details back to the manufactures (electronically) of any of their cars that have new owners.

    The simplest thing would then be for the Manufacturer to contact the original owner and say, unless you tell us otherwise in 3 months we will clear all your data for this car.

    I would guess that for each car they would have as a min the email address linked to the car.

    1. Anonymous Coward
      Anonymous Coward

      Re: DVLA - why not them

      While we're at it we can get the DVLA to do a deep clean on the vehicle to remove any utility bills, bank statements etc that you may have left in the glove box as well? What a terrible idea, this isn't what the DVLA is for, it'd just waste time and effort at public expense. Government agencies shouldn't be getting involved in this.

      If a car is sold on through a dealership or registered motor trader it should be part of their responsibility to do a data reset when prepping it for the sale. Likewise, if it's a rental, the rental firm should be responsible for a data wipe between clients. These are just a code of conduct updates for those business categories, which could be "encouraged" by use of GDPR enforcement if necessary. Private sale between invididuals is a bit of a hole - IMO that's going to have to remain up to the individuals concerned, private sale is low-regulation for a reason.

      To some extent the potential nepharious activity is already covered by existing laws and regulations. Accessing data on a car you no longer own? That sounds like a breach of the computer misuse act. Misusing the data left on a car by the previous owner is another matter - I'm not sure there's anything that covers this. Maybe another commenter knows better?

      It's certainly true that car owners and users could do with being made more aware of these issues, and that ought to be more forthcoming from the manufacturers. A little cross-industry standardisation of the methods for clearing data from cars wouldn't be a bad thing either.

  8. Jellied Eel Silver badge

    Factory reset option?

    Having a reset feature that sets the system back to default would seem sensible and simple for anything held locally. If the car's 'smart' and paired to some cloudy bollockery, then unpairing it might be a little harder.

    1. stiine Bronze badge

      Re: Factory reset option?

      Just like the damn radio after you disconnect the battery for an hour? I like it.

      1. MachDiamond Silver badge

        Re: Factory reset option?

        "Just like the damn radio after you disconnect the battery for an hour? I like it."

        That's ok unless your battery goes flat or you have it disconnected to work on something and lose all of your data when you don't want to.

        1. Mark 85 Silver badge

          Re: Factory reset option?

          That's ok unless your battery goes flat or you have it disconnected to work on something and lose all of your data when you don't want to.

          That would work for me as I wouldn't want, nor keep sensitive data on the car. Unless it's some important to the overall maintenance and drivability, I don't want it kept.

          In other words, fault detection, mileage, EFI, data etc. should be kept. Everything else not so much.

        2. Peter Clarke 1

          Re: Factory reset option?

          The nub of the argument is that is too easy and quick to add data. If you put your phone on the dash by the time you've fastened your seat belt all data could be synched. It could actually be a feature for hire cars to wipe the data as soon as the door is locked/key out of range

        3. Public Citizen

          Re: Factory reset option?

          Which is easily avoided by a keep alive device inserted into the cigarette lighter socket.

    2. MachDiamond Silver badge

      Re: Factory reset option?

      The instructions for a factory reset/lobotomy can be a screen in the settings menu so if the procedure changes, the instructions can be changed on the infotainment system. It could be as easy as holding down two buttons while powering on the radio and confirming a total wipe. The car would then forget all sync'd data and require establishing a new account with the manufacturers data slurp headquarters to received updates and send driving data (if approved). For hire cars, there could be code required before updates and driving data are disabled. I expect that manufacturers will have a special program that hire companies can use to track and monitor their fleet. Finding that software in a used car would be a dead giveaway that it's a former hire car.

      The simpler it's kept to do and the more universal the procedure, the better it will be for data security.

  9. stiine Bronze badge
    Facepalm

    "The ICO advocates a privacy-by-design approach, which would appear to require bringing manufacturers on board and may be difficult to apply to cars already on the road."

    Why would you say this? Is my Ford likely to rebadge itself as a Chevrolet while its driving down the road under control of its new owner? Is the VIN going to get a lever like a slot machine?

    NO.

    So why, if you can mandate recalls for safety issues can't you issue a recall for THIS SAFETY ISSUE?

    1. MachDiamond Silver badge

      "The ICO advocates a privacy-by-design approach, which would appear to require bringing manufacturers on board and may be difficult to apply to cars already on the road."

      I believe that any car that is storing and sending data can be updated to add a forget option. I'm certain there is plenty of program space for lots of updates.

  10. Steve Kerr

    Recessed reset button in glove compartment

    Like a number of devices, why not just add a recessed reset button inthe glove department.

    Press and hold for 5 seconds to factory reset the car.

    No weird and wonderful menus to navigate.

    For rental cars, in the rental agreement, all they need is for either the renter to press the reset button or for the rental company to do it when they get the car back and do their return checks.

    if all car manufacturers done this one feature, wouldn't even need to bury it in the back of user manual.

    Damn, should have patented that!

    1. Version 1.0 Silver badge

      Re: Recessed reset button in glove compartment

      Just rewire the etherkiller cable to work with the autodiagnostic connector.

  11. Yet Another Anonymous coward Silver badge

    An opportunity

    Used to work on one of the early GPS fleet tracking systems that could work out in the bush.

    Family owned logging business, husband notices that the truck his wife uses seems to spend nights parked in the suburbs next to another company truck

    Wife was "inspecting the chopper" of one of the lumberjacks.

    After the divorce they end up running the 1st and 2nd biggest logging operations in the state - and we sold vehicle tracking to both of them !

    (although presumably she learnt her lesson and used her own car for dates)

  12. nevstah

    not that difficult

    never mind fancy onscreen reset menus or glovebox buttons, just ask the question when you connect a new phone, new owner or additional driver.

    as for older cars and simplicity, then anything pre ~2002 with only the most basic on board computers. or, better still, something with a carburetter, no sensors to break, no catalytic converter to fail and no computers or ECU. Yes, things can and do still fail, but you don't need an electronics degree to fix, just a spanner and a screwdriver

  13. GnuTzu Bronze badge

    Movie Chase-Scene Idea

    High speed car chase with multiple cars in which multiple hacker teams battle to take control of the cars.

    1. Yet Another Anonymous coward Silver badge

      Re: Movie Chase-Scene Idea

      Scene from Heat where they run out of the bank, leap into the car.

      Press the brake while starting, wait for the startup splash logo on the dash screen, put on the seatbelt, press ok to the "do not use while driving" media screen, wait for the iConnected iDrive to iConnect

      Then pull away silently in hybrid city mode

  14. Anonymous Coward
    Anonymous Coward

    24/7 Phone-Home IoT Tracking + Data-Hoarding / Previous-Owner-Access

    Both of these issues caused me to stop and put off buying a car altogether.

    Traffic is so bad where I live anyway, it doesn't work as a reliable form of transport anymore. Plus it just costs too much. road tax, insurance, fuel, maintenance. Compared with owning a home, its a bad purchase with horrific depreciation, which mostly sits there unused, but with a constant risk of break-in.

    Manufactures are predicting we're near 'peak car' too and won't keep buying'em indefinitely...

    https://www.bloomberg.com/news/articles/2018-08-17/-peak-car-and-the-end-of-an-industry

    1. Anonymous Coward
      Anonymous Coward

      Re: 24/7 Phone-Home IoT Tracking + Data-Hoarding / Previous-Owner-Access

      Has some kind soul uploaded to the Web a list of which Makes and Models continuously record your Location History and phone it back home to interested Commercial and State organisations ?

  15. 10forcash Bronze badge

    Although I despise 'connected' cars (maybe because my work brings me into contact with them on a daily basis) I've added 'connected' functionality to my own LandRover - but on my terms, with a GSM Telemetry module - it's not really telemetry, more simple I/O...

    It alerts me by text if the alarm is activated, the main or aux battery fall below 11.8VDC

    I can command it to run the fuel fired pre-heater for 30 mins, and / or turn on the heated screen, seats & steering wheel for 10 mins.

    It requires a pin to accept commands and only from registered numbers and can be interrogated for its GPS position, with the added bonus of being able to connect by satphone if the GSM network is unavailable.

    It doesn't save tracking info, send to anyone else, identify me or my car uniquely and most importantly, can be turned off without affecting the designed functionality of the car.

    Yes, I know the GSM & INMARSAT can be tracked, but the IMEI's are not associated with the vehicle specifically, unlike the 'connected car' stuff, so in that sense, it only shows the vector and speed of travel, the mode is unknown.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019