The order comes after GM was caught selling customer data to third-party data brokers and insurance companies — without consent:
General Motors and its subsidiary OnStar are banned from selling customer geolocation and driving behavior data for five years, the Federal Trade Commission announced Thursday.
The settlement comes after a New York Times investigation found that GM had been collecting micro-details about its customers' driving habits, including acceleration, braking, and trip length — and then selling it to insurance companies and third-party data brokers like LexisNexis and Verisk. Clueless vehicle owners were then left wondering why their insurance premiums were going up.
[...] FTC accused GM of using a "misleading enrollment process" to get vehicle owners to sign up for its OnStar connected vehicle service and Smart Driver feature. The automaker failed to disclose to customers that it was collecting their data, nor did GM seek out their consent to sell it to third parties. After the Times exposed the practice, GM said it was discontinuing its OnStar Smart Driver program.
Also at AP, Detroit Free Press and Engadget.
Previously:
- Connected Cars' Illegal Data Collection and Use Now on FTC's "Radar"
- GM to Leverage Driver Data as it Jumps Back into the Insurance Business
- Law Enforcement Has Been Using OnStar, SiriusXM, to Eavesdrop, Track Car Locations
« EU Protests New US AI Chip Restrictions - Some Countries Face GPU Caps | Asimov's Laws of Robotics Need an Update for AI Proposing a 4th Law of Robotics »
Related Stories
A recent techdirt article says that
Thomas Fox-Brewster of Forbes is taking a closer look at a decade-plus of in-car surveillance, courtesy of electronics and services manufacturers are installing in as many cars as possible.
Following the news that cops are trying to sweat down an Amazon Echo in hopes of hearing murder-related conversations, it's time to revisit the eavesdropping that's gone on for years prior to today's wealth of in-home recording devices.
One of the more recent examples can be found in a 2014 warrant that allowed New York police to trace a vehicle by demanding the satellite radio and telematics provider SiriusXM provide location information.
In this case, SiriusXM complied by turning on its "stolen vehicle recovery" mode, which allowed law enforcement to track the vehicle for ten days. SiriusXM told Forbes it only does this in response to search warrants and court orders. That may be the case for real-time tracking, but any location information captured and stored by SiriusXM can be had with nothing more than a subpoena, as this info is normally considered a third-party record.
It's not just satellite radio companies allowing cops to engage in surreptitious tracking. OnStar and other in-vehicle services have been used by law enforcement to eavesdrop on personal conversations between drivers and passengers.
In at least two cases, individuals unwittingly had their conversations listened in on by law enforcement. In 2001, OnStar competitor ATX Technologies (which later became part of Agero) was ordered to provide "roving interceptions" of a Mercedes Benz S430V. It initially complied with the order in November of that year to spy on audible communications for 30 days, but when the FBI asked for an extension in December, ATX declined, claiming it was overly burdensome.
The 2001 case didn't end well for law enforcement. It wasn't that the court had an issue with the eavesdropping, but rather that the act of listening in limited the functionality of the in-car tech, which the court found to be overly-burdensome.
[...] Law enforcement may find encryption to be slowing things down in terms of accessing cell phone contents, but everything else -- from in-car electronics to the Internet of Things -- is playing right into their hands.
-- submitted from IRC
GM to leverage driver data as it jumps back into the insurance business – TechCrunch:
General Motors is launching an insurance service, returning to a business that it abandoned more than a decade ago, but this time more in step with the connected-car era.
The service, called OnStar Insurance, will offer bundled auto, home and renters' insurance, starting this year with GM employees in Arizona. GM's new insurance agency, OnStar Insurance Services, will be the exclusive agent for OnStar Insurance. Homesite Insurance Group, an affiliate of American Family Insurance, will underwrite the program.
The services will be available to the public nationwide by the end of 2022, including people who drive vehicles outside of GM's portfolio of Buick, Cadillac, Chevrolet and GMC branded cars, trucks and SUVs. The aim, however, is to leverage the vast amounts of data captured through its OnStar connected car service, which today has more than 16 million members in the United States.
GM's pitch is that this data can be an asset to drivers and help them cash in on lower insurance rates based on safe driving habits.
"Our goal is really to create greater transparency and greater control for our customers in influencing what they pay for insurance and their total cost of ownership on the vehicles," Russell Page, GM's head of business intelligence said in a recent interview.
The data play is substantial. The company has logged more than 121 million GB of data usage across the Buick, Cadillac, Chevrolet, and GMC brands since the launch of 4G LTE in 2014.
The regulator is warning OEMs to respect data privacy or it will get mad:
The Federal Trade Commission's Office of Technology has issued a warning to automakers that sell connected cars. Companies that offer such products "do not have the free license to monetize people's information beyond purposes needed to provide their requested product or service," it wrote in a blog post on Tuesday. Just because executives and investors want recurring revenue streams, that does not "outweigh the need for meaningful privacy safeguards," the FTC wrote.
Based on your feedback, connected cars might be one of the least-popular modern inventions among the Ars readership. And who can blame them? Last January, a security researcher revealed that a vehicle identification number was sufficient to access remote services for multiple different makes, and yet more had APIs that were easily hackable.
Later, in 2023, the Mozilla Foundation published an extensive report examining the various automakers' policies regarding the use of data from connected cars; the report concluded that "cars are the worst product category we have ever reviewed for privacy."
Those were rather abstract cases, but earlier this year, we saw a very concrete misuse of connected car data. Writing for The New York Times, Kash Hill learned that owners of connected vehicles made by General Motors had been unwittingly enrolled in OnStar's Smart Driver program and that their driving data had been shared with their insurance company, resulting in soaring insurance premiums.
[...] The FTC says that automakers and other businesses must protect users' data against illegal collection, use, and disclosure. It points to recent enforcement actions against companies in other sectors that have illegally collected or used geolocation data, surreptitiously disclosed sensitive user data, and illegally used sensitive data for automated decisions.
The FTC says the easiest way to comply is to not collect the data in the first place.
(Score: 2, Insightful) by Anonymous Coward on Sunday January 19, @11:24AM
> The settlement comes after a New York Times investigation
This is why I still subscribe to my local newspaper. Yes, it's expensive and pretty lame (compared to the era when I was a paper delivery boy, c.1970) but the local paper still has a few true investigative journalists on staff.
(Score: 0) by Anonymous Coward on Sunday January 19, @12:03PM
A nation with zillions of do-your-own-research and its enough for GM to call it "Smart Driver" to also have zillions swindled.
(Score: 2, Insightful) by Dr Spin on Sunday January 19, @12:58PM (7 children)
... for which the punishment is the complete shutdown of GM?
Warning: Opening your mouth may invalidate your brain!
(Score: 2, Insightful) by Anonymous Coward on Sunday January 19, @01:33PM (1 child)
> ...punishment is the complete shutdown of GM?
Here's one reason, https://www.gm.com/company/usa-operations [gm.com]
And lots more people if you count suppliers to GM. That's a lot of people that would be suddenly unemployed, are you ready to pay them benefits from your taxes?
(Score: 2) by Dr Spin on Sunday January 19, @05:27PM
I don't live in the USA, and have already sold the last GM car I will ever buy..
Warning: Opening your mouth may invalidate your brain!
(Score: 3, Interesting) by Undefined on Sunday January 19, @03:05PM (1 child)
Also notable is no mention of punishment/remediation applied to the insurance companies abusing customers using stolen data.
(Score: 2, Insightful) by Anonymous Coward on Sunday January 19, @08:17PM
I wonder if demonstrated victims of this could sue the insurance co's for knowingly (at this point) being in possession of stolen property.
(Score: 4, Informative) by Thexalon on Sunday January 19, @03:34PM (2 children)
Because there is no crime for which the punishment is the shutdown of any major corporation.
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
(Score: 1, Informative) by Anonymous Coward on Sunday January 19, @11:04PM (1 child)
> Because there is no crime for which the punishment is the shutdown of any major corporation.
I think you forgot Enron?
(Score: 2) by Thexalon on Tuesday January 21, @12:07PM
No, I didn't: Enron was not forcibly shut down by the government, it went bankrupt after its accounting frauds were exposed. Had they been able to find sufficient investors, it would have been bought out by somebody and continued operations.
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
(Score: 1, Funny) by Anonymous Coward on Sunday January 19, @03:03PM
n/t
(Score: 2) by mcgrew on Monday January 20, @08:39PM
It should be a prison time felony for any of them to sell anyone's data to anyone. My car belongs to ME and any data it generates is MINE and belongs to me. Using my car's data without my express, written permission is THEFT.
It should be treated as such, no different than my hacking GM's servers and taking their proprietary knowledge. Or Ford's or anybody else's.
A Russian operative has infiltrated the highest level of our government. Where's Joe McCarthy when we need him?