SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow4408
Last December, Ashley Sehatti sold her 2015 Jetta back to a local Volkswagen dealership in California. So when the calendar turned over, she didn't understand why she was still getting sent monthly reports about the car's health. After another one came in April, she finally logged on to VW's online portal for Car-Net, the telematics system that runs in many of the company's modern cars.
To her surprise, Sehatti saw the location of her old Jetta on a map, up-to-date mileage, and the status of the car's locks and lights. It had been resold, and yet she still had access to some of the car's systems. "There was nothing in place to stop me from accessing the full UI," she says over email.
What Sehatti hadn't realized is that Volkswagen puts the burden of disabling access to Car-Net squarely on the customer in its terms of service agreement when they decide to sell or exchange a car — even if the car is going back to a VW dealer.
Source: https://www.theverge.com/2018/5/4/17303644/volkswagen-car-net-security-location-access
(Score: -1, Troll) by requerdanos on Monday May 07 2018, @01:36PM (18 children)
I have made a few minor changes to TFS. Not criticising the editors in any way, just thought that TFA might have an agenda and might have left out some important information. Brief comments follow.
When you sell a car, you have a responsibility to turn over the stuff that goes with the car. The keys, spare tire, jack, etc.
Volkswagon's evil intent? Doubtful. It's right and just that they respect her privacy and don't allow any random dealership to access her VW Stalker account. That would be evil.
If you keep a set of keys, or a Volkswagen stalker account, and use them for stalking, to access the car later, you are part of what's wrong with the world [duckduckgo.com].
Now, if anyone claims that "she didn't know": That doesn't change any of the above; it just means that she desperately needs to know it. When you find out that your behavior is arguably socially harmful, you should probably try to change your behavior, and definitely not find a major corporation to blame for it.
In TFA, a Volkswagon spokesperson says "as a subscriber, the customer has the responsibility to terminate the contract when selling their vehicle. This is a practice common in the industry." The responsibility to turn over the stuff that goes with the car does not change or suddenly become novel and surprising just because you add the phrase "on a computer" or "on the internet".
(Score: 5, Insightful) by nobu_the_bard on Monday May 07 2018, @02:08PM (12 children)
Wouldn't you have expected the dealer to check these things before reselling it, though? I think that's the problem.
The dealer will check for things like if the spare tire is missing when they buy it back. They'll also presumably complain if you've removed the seats or the radio or the roof, or if you've replaced the wheels with monster truck wheels or something. Whether they directly take it up with the person selling it to them or not, they'll surely notice and need to deal with the missing/changed elements, if only to be prepared when the prospective buyer complains they want a discount for its condition. I don't think, in this case, the computer access is that different.
Just as they can easily replace the spare tire, they should be able to sever your remote access to the car's computer. That EULA is just covering them in case they goof it up ...
I suspect the particular dealer involved just haven't adapted to the times, as the article suggests.
(Score: 3, Informative) by Anonymous Coward on Monday May 07 2018, @02:29PM (1 child)
GM is supposed to reset OnStar when selling a used car, but there are plenty of reports of the same problem.
(Score: 3, Interesting) by requerdanos on Monday May 07 2018, @05:41PM
Because I have an e-mail address in the form of [first initial] + [last name] @ [large ISP], I get lots of mail for people who think that's their e-mail address, when in fact theirs is [first initial] + [last name] + [some random number] @ [large ISP]. Usually I am able to get it straightened out pretty easily.
But there are three or four vehicles that I get regular OnStar Monthly Reports on that I haven't been able to deflect.
When I contact a dealer listed as contact info, they say that only OnStar can fix it and I have to contact them directly.
When I contact OnStar, they won't "access the account" unless I can provide personal information proving it's mine (which it isn't) and recommend I contact the dealer to resolve it.
So, I still get OnStar e-mails, because the OnStar system is operated largely by people who don't quite get the privacy thing (and who, by the way, seem to have neither English nor Spanish as a first language). Fair enough, I wouldn't expect OnStar to get privacy.
I may end up printing the reports and mailing them to the vehicle owners, along with a report of efforts I have undertaken to stop receiving them, in the hopes that they can get it sorted.
(Score: 0, Interesting) by Anonymous Coward on Monday May 07 2018, @02:52PM (3 children)
The thing is, Car-Net is *not* free. It's a subscription service after a free trial period after purchasing a new VW vehicle. The person in the article was paying for the Car-Net service after the car had been sold. One has to ask why the person continued to pay for that service... And why the service wasn't cancelled so that they didn't have to continue paying for it. The question on why the dealer didn't do this is secondary, IMO, and could open up other interesting security aspects.
Now, another question is why the new owner didn't recognize that Car-Net was running on their "new" car and tried to have the service transferred and/or cancelled.
Overall, all three parties involved share the responsibility here.
(Score: 5, Insightful) by sjames on Monday May 07 2018, @03:02PM (1 child)
Many people end up still paying for things after it should have cancelled due to automatic credit/debit card payments.
But, in any event, since the car was resold by the dealer, surely the dealer should have killed the old account. The system itself should also make it clearer to a new owner who has access to the account and make sure the new owner has the ability to terminate the old owner's access.
People are quite used to signing over the title and handing over the keys, but handing over digital accounts is new and many don't even think about it.
(Score: 4, Insightful) by Immerman on Monday May 07 2018, @03:22PM
You'd think if nothing else there should be a big bold page at the front of the owner's manual saying "If you've bought this car used, be sure to..." so that the new owner knows to disable/transfer the stalkery bits
(Score: 4, Insightful) by SomeGuy on Monday May 07 2018, @07:27PM
To a lot of people many of these "services" are big vague confusing nebulous things. It is easy to imagine they might have thought the service would transfer to their new car (even without whatever system), or perhaps they even thought they didn't need a car for whatever this service is. They just know someone told them they needed this service and are afraid to find out what will happen if they cancel it. Right in the summary it indicates this person never even used the service when they had the car.
It isn't illegal for a company to keep taking your money if you give it to them. So of course the companies have no interest in automatically terminating services.
(Score: 2, Interesting) by requerdanos on Monday May 07 2018, @05:17PM (5 children)
I anticipated such an objection, but didn't expect to actually see it!
The buyer, whether a dealer or an individual or an alien race, can look and see whether there are missing items. This is fine as far as items that are missing go.
There is a surrepetitious class of things to keep, however, whose absence of transfer is not obvious. They are "keys", whether physical or electronic.
Either a set of keys is passed on along with the vehicle, or the vehicle is sold without them in the knowledge that new keys will need to be cut. Either way, an honest, helpful person will not have secretly kept a means of access to the vehicle--physical or electronic--in order to stalk the buyer and access the vehicle later.
There is not a way to examine the vehicle, as you so carefully did with your roof, seats, radio, and wheels, to see whether you are being stalked.
That's the difference between spare keys (physical or electronic) and unique physical components of the machinery.
The dealer, because of the nature of reality, can't check whether you have made spare physical keys for stalking purposes.
The dealer, because of policies respecting your privacy, can't check whether you kept electronic access to the vehicle via stalk-my-car.com.
Perhaps society will decide that every car dealer should be able to access our online accounts, just to make sure. I sure hope not.
Make sense?
(Score: 1, Touché) by Anonymous Coward on Monday May 07 2018, @05:25PM
No
(Score: 3, Insightful) by bob_super on Monday May 07 2018, @05:46PM (1 child)
It would make sense if you sold the car through Joe Dirt Lot.
An Official Dealer should send a service termination notice to the factory upon buying a car. After all, they typically set up the car to give the next buyer one to three months of free service, hoping to get them hooked into monthly payments.
(Score: 3, Insightful) by requerdanos on Monday May 07 2018, @06:32PM
I see the beginnings of something that would help here--The official dealer sending notice to VW that a VW was bought at the dealership level.
And then VW sending notice to Verizon (who operates the online service in question).
And then Verizon does something useful with the information like cancel the account and refund any unused service period.
This would solve the problem neatly.
Of course, that works towards commonsense ends, not financial ones. Financially, I bet the balance sheet would look quite a bit better if they keep quietly, if maliciously, charging the people--forgetters and stalkers alike--who are paying for a service for a car they don't even own. As seems to have been the case here.
(Score: 2) by Grishnakh on Monday May 07 2018, @06:36PM
I'm sorry, but IMO the blame lies entirely with the manufacturer and the dealer. They should be ensuring that prior owners no longer have access to the vehicle.
For the keys, they should be reprogramming them all, and the car, so that only the keys being given to the new owner actually work with the car, and that old keys do not. I'm pretty sure some modern cars will actually show you on the car's computer which keys are programmed to work with the car, and allow you (or the dealer maybe) to disable certain ones. This should be standard operating procedure.
Same goes for any online access. The dealer should be making sure that old owners can't access the car, and the manufacturer should be designing the vehicle so that this is possible and directing the dealers on how to do it.
This is all basic security here, not rocket science.
It's no different than selling a house, and the new buyer changing the locks. With older cars, the same could be done. We usually leave this to the buyer, but for modern cars this isn't really as feasible (might require special service tools), so this should be something that the dealer is responsible for.
(Score: 0) by Anonymous Coward on Monday May 07 2018, @06:38PM
If a car has electronic keys, which all cars do nowadays, the dealer can reset the codes when they get the car back. So no, if you "accidentally" keep the electronic key to your old car, it won't work unless the dealer is negligent.
(Score: 5, Insightful) by Anonymous Coward on Monday May 07 2018, @02:36PM (3 children)
You trying to portray the previous owner as a stalker is simply trolling.
Bullshit. It is VW's telematics system and it is their responsibility to disable prior access (so the old owner cannot track the vehicle after they return it to the dealer) and archive prior history (so the dealer and new owner cannot track the actions of the previous owner). Also, it is the dealer's responsibility to inform the new owner of the availability of the Car-Net service.
I don't care what VW puts in their ToS. It is their platform, and they own the data, so it is their responsibility.
As I stated above, VW should archive the data. They already had/have access to the data about the vehicle because they own the data.
(Score: 2, Informative) by requerdanos on Monday May 07 2018, @05:32PM (2 children)
I am observing her behavior without trying to characterize her intent. Whether her behavior arises from malice, or from ignorant negligence, doesn't change the recorded behavior all that much, except from a philosophical angle. Whether her attitude was "Aha! I am stalking you" or "Ooops, sorry, accidently stalked you", the verb is the same; only the adverbs change.
We have a duty to behave responsibly without expecting corporations to take over our private accounts "for our own protection." People who fail to do so, like this woman in particular, put that in jeopardy. That affects me directly. I am speaking up.
I don't think you're quite following along.
For our own protection, right.
Even if that were true, VW never knew about it until the media posturing casting them as the enemy. The majority of VW dealers are privately-owned businesses who have an agreement with VW to sell and service their cars. That does not make VW magically aware of the used-car side of their businesses, nor should it.
Though VW does own some of its dealerships, primarily in Europe, they are trying to reduce the number [autonews.com] of company-owned dealerships even there.
Let's say I own a car by "Anonymous Coward Motors." If I later sell that car to a private dealer, for my privacy and the dealer's, it's none of AC Motors' business. Unless we have a nanny state where everything is required to be reported to everyone "for our own good".
I reject that. I exhort you to do the same. If you decide not to do the same, I respect that; in which case, as a minimum, you need to recognize that it's a valid view and not "trolling".
(Score: 5, Insightful) by Grishnakh on Monday May 07 2018, @06:45PM
You're placing blame entirely on the old seller, which is a stupid and useless course of action. This is how we wind up with a judicial system where your only recourse is to sue people, which rarely works out because the legal costs are far higher than you're ever going to get back in collections from some small-time scammer.
VW and the dealer need to be responsible here. VW needs to be responsible for building their cars so that dealers have access (upon customer request, or when the car comes into their possession during a sale/trade-in) to the vehicle and all keys or services which have access to the car, and are then able to cut off access to anything that's not authorized, be it old keys that the old owner kept, or an online account that the owner didn't disable. Whoever has physical possession of the car should be the one in control of this or have access to all this information, not VW, and not some random dealer, but any dealer who comes into possession of the car (or, any private party who buys it in a private sale) should.
In short, this is a problem that is easily solved with technological measures rather than the futility of blaming small-time (possible) criminals, just as it's much easier to just re-key the locks when you buy a new house rather than waiting around for the old owner to sell the keys to some burglars and getting burgled and then hoping to somehow not only catch and prosecute the burglars but also prove in court (with expensive lawyers) that the old owners were accomplices, and then spend enormous sums of money suing the burglars and old owners for your damages when they just stole a few TVs. Your proposed solution seems to be "let the crime happen then we'll use the police and legal system to correct it" rather than "take simple steps to avoid the crime altogether".
(Score: 0) by Anonymous Coward on Monday May 07 2018, @07:00PM
Your very first "edit" literally asserted a character to her intent:
It may be the same verb each time, but it's the wrong verb. For it to be "stalking", in both colloquial and legal senses, would require repeated invasive action taken over time, of which you have no evidence.
And by using the word "stalking", this is another example of you trying to characterize her intent without evidence.
If VW are operating a service which lets people monitor the activity of cars which can be re-sold, then yes they are required by law to be aware of the user-car side of their business, else be in breach of privacy regulations. The obligation to keep VW informed of changes of ownership is likely in the agreements with those privately-owned businesses.
(Score: -1, Offtopic) by Anonymous Coward on Monday May 07 2018, @05:36PM
...