> Even after the modem is removed, if you connect your phone to the car via Bluetooth then the car will use your phone as an internet connection and send all the same telemetry data back to Toyota. However, if you use a wired USB connection then it does not do that (see the discussion here and elsewhere), so I exclusively use CarPlay via USB.
The problem with this is that both carplay and android auto capture their own vehicle telemetry. So even though the car is not able to use your phone as a general data pipe, Google and Apple still get access to this data when you're connected.
They are both very cagey with how they talk about this (or don't).
And once you've gotten rid of Google and Apple, your telecom company tracks you, your CC payments help track you and even cameras in public do.
It's hard to not want to throw your hands in the air screaming "whatever" when almost everything you use in public is somehow used to track you either as you move around, or in the future.
This is one of those things that can't ever be solved with individual solutions but needs to be solved through legislation and standards, and ideally a fundamental right to privacy (and a fundamental redefinition of what privacy means when it comes to corporate surveillance of individuals).
Needless to say, cars in the UK/EU have no such privacy invading features without an explicit opt-in thanks to sensible data protection legislation; including the GDPR.
The FUD spouted on here by the scummy adtech industry about legislation to protect YOUR privacy is mind boggling. These are the people doing the digital equivalent of sniffing your underwear to work out what you had for breakfast.
(And before somebody shouts FUD about the UK/EU vehicle eCall 112 system, that certainly doesn't track you or seek to invade your privacy on any level!)
>cars in the UK/EU have no such privacy invading features If you say so.
Maybe if you buy the car with cash, but if you finance it you are leasing from a company that has definetly accepted all the terms and conditions to capture and sell all the telemetry to various parties
>without an explicit opt-in
check out at a modern volvo/audi/whatever, they are making it so difficult to say no every single time the screen is powered on
> if you finance it you are leasing from a company that has definetly accepted all the terms and conditions to capture and sell all the telemetry to various parties
No it isn't. Stop spreading FUD.
It is illegal in the UK/EU to make provision of a service dependent on allowing your personal data to be sold to third parties. This is BASIC data protection law here. You should be embarrassed for not understanding this.
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...
> modern volvo/audi/whatever, they are making it so difficult to say no every single time the screen is powered on
More FUD.
The nagware is for "safety" features such as lane assist which must turn on every time by default (yes, this is a PITA). This has nothing whatsoever to do with data privacy requests.
I'm in europe and I work with cars, pal.
nagware is absolutely not for safety features. Deny the terms and conditions and every time you start the car you have at least three screens you have to scroll and click buttons. It is a very recent feature, have seen it on models from january onwards.
BTW: You also want to deny that because if you agree you also agree to update the system at their will (many cases on the press of them fucking it up, bricking cars requiring ECU replacement. A couple of manufactures i won't mention fucked that up as badly as using two different ECU makes for the same car model, and sending the wrong binary and the bootloader happily accepting it. All without user approving the update beforehand. All happening in the background. Car stops at the sign, ECU reboots and dies.)
You also have constant nagware when you disable the tracking features in software.
A class action lawsuit in the making! Pal.
I seriously wish it happened.
Sure, and Volkswagen’s diesel cars are totally clean and pass emissions tests as written.
Your trust in the law (EU law! Haha) to do the enforcing itself is nice, but history and lived experience tell me that these laws are going to be skirted if there’s money in it.
Sorry, I missed the bit where the company was fined, prosecuted, suffered a consumer backlash and subsequently brought their behaviour into check.
Honestly, the number of people on here spreading FUD and defending the 'right' for the adtech industry to invade their private lives and treat them like shit is unreal. One could almost think their salaries are dependent on it!
> It is illegal in the UK/EU to make provision of a service dependent on allowing your personal data to be sold to third parties.
Nobody seems to care and this isn't enforced at all.
It is very hard to live in Germany without having a google account. Many services are only offered via phone-app that is only available through play-store. I'd have to use apks from questionable, untrusted third-party websites.
Good luck finding an employer that doesn't require you to have a microsoft account.
The EU is not the privacy paradise some make it seem to be. It's a corrupt, bureaucratic, exploitive nightmare with some splashes of democracy here and there.
Von der Leyen is the perfectly ridiculous representative, she left nothing but corruption, collusion and incompetence in her wake.
> It is very hard to live in Germany without having a google account
Which in the EU/UK, is subject to data protection law; including compulsory opt-in for sharing personal data!
Granted, the scummy adtech industry push the law to the limit ("legitimate use"), meaning we need better regulation, not less.
> The EU is not the privacy paradise some make it seem to be
Nobody said anything about paradise, though considering the unrestrained nature of adtech in the USA, I certainly know under which laws I'd rather my (and others) personal data is kept.
Replying to my own comment to inform the reader that the fluctuation in moderation points I'm seeing is frankly, extreme! It looks like my parent comment has really touched a nerve here on HN: Privacy supporters Vs Adtech supporters, or maybe those who believe in rule of law, and those who think they can do what they like with others private data.
In addition to the eCall system, note there is also the mandatory OBFCM (On-board Fuel and/or Energy Consumption Monitoring Device), that data is then downloaded from the vehicles using OBD during checks.
The data is anonymized and you can opt out, but many people probably don't know it's collected in the first place.
> (And before somebody shouts FUD about the UK/EU vehicle eCall 112 system, that certainly doesn't track you or seek to invade your privacy on any level!)
How do you know?
BTW, the checking all the opt-ins is usually the first thing the sales person does when selling a new car.
> How do you know?
And the FUD has started. Maybe try reading the law?
https://europa.eu/youreurope/citizens/travel/security-and-em...
I did read the law. Did you? The actual eCall specs are not in there. They are in EN 16102:2011 which is not free, I don't have it, I won't pay for it, and probably you won't either.
But based on my experiece:
- GPS cold start requires 1-2 minutes to get a fix. That's too long in case of a crash. That means GPS is started at the same time as the car.
- A-GPS is better, but not sufficiently fast in case of a crash either.
- The cheapest way to implement an eCall module is to use a phone chip that includes both phone and GPS functions. I'm sure we can agree that all manufacturers will choose the cheapest. That means the telephony is started at the same time as GPS - when the car is started.
- Let's assume that telephony chip is separated. A phone boots in ... 30s? Too slow even if the eCall module doesn't include a full OS.
- A phone in airplane mode still takes 5-10 seconds to connect to the network and 3-5 seconds to dial. If you press the ecall button on your car, how fast does the call connect? If it's less than 5s, the ecall module was already registered on the network. If it's registered on the network, the car leaves a metadata trail on at least one of the local phone operators' servers. That metadata includes the time and the cell towers = full tracking data.
- GSM networks since the beginning mandate that the SIM card can execute commands received from the network. A SIM card is a full independent embedded processor. You should really watch the Defcon and BackHat presentations about SIM cards. Anyone that can send binary SMSs (and most operators are very ignorant/permissive) can track it, start calls, listen on the mic, etc.
- All telephony chips today support packet data. If the car manufacturer wants to, it can preinstall tracking software.
Because no company has ever broken the law before
What a ridiculous argument!
So what is the point in having laws then?
No doubt you believe any adtech request for personal data should be met by the subject promptly bending over and grabbing their ankles with both hands?
I am absolutely sure (even though I can't give a link as proof) that all telephony operators everywhere have to provide a backdoor for the "authorities" in order to obtain their licence. So, yes, a telecom provider will be bending over immediately, or risk losing their licence.
I also suspect that in many cases, the operator won't even be informed about the tracking because the gov agencies already have direct access to all the data.
Laws exist to keep the common man in check, and to punish government organizations and corporations _if_ they get caught. The original purpose is to keep voters meek and to stop them from overthrowing the politicians. Laws have very little to do with scaring corporations and nations.
I'm tempted to say "oh you sweet summer child", because it seems just unbelievable that the statement is true (in the sense that the small print in rental cars and sales contracts doesn't allow it, ot it's done by law enforcement agencies surrepticiously).
But maybe it IS true. I know it's legally mandated.
> it seems just unbelievable that the statement is true
So do you think UK/EU vehicle manufactures are deliberately in mass breach of data privacy law... fully knowing the cost of a consumer backlash, fines and vehicle recall costs to fix any law breach?
Really?
It's genuinely amazing how many Americans on here (a tech news site!) are unaware of data privacy law and expectations outside their homeland.
I really do think there is a good chance that say MI5 or the BND or the DGSE flagrantly ignore the law to catch non-national evildoers, just as much as in the US. The temptation to do this 'in the name of security' is very high.
Of course, I can't or won't prove it.
And yes, I am _intimately_ familiar with the GDPR and other laws and regulations. The US also had (has) wiretapping laws that would have prevented snooping on Americans.
I'm not claiming the EU is no better than the US, it clearly has better intentions. But fundamentally, I think the EU will end up in the same place as the US sooner or later, simply because the same forces are at play: desire for security >> desire for privacy for most people if the rubber hits the road.
Here's some fun read for those who seek more info:
https://www.politico.eu/article/germany-privacy-watchdog-sid... https://www.bnd.bund.de/EN/Service/PrivacyPolicy/privacypoli... https://www.lexxion.eu/?newsletters_method=newsletter&id=477
> So do you think UK/EU vehicle manufactures are deliberately in mass breach of data privacy law... fully knowing the cost of a consumer backlash, fines and vehicle recall costs to fix any law breach?
They were also in mass breach of vehicle emission laws. The fact that there was some backlash (although people didn't really stop buying VAG cars), people got prosecuted, the company got fined, didn't really change their decisions while they were pumping out fraudulent cars.
Yes, we should have privacy laws like this in the EU, this is a good thing! But thinking that, when these laws are in place, all companies magically will follow them is naive. To them it's still a cost/benefit analysis, and history has shown short term benefit trumps many other things for these companies.
ONE company did it (not a mass of them), resulting in massive fines and prosecutions; they certainly aren't going to do it again!
I'd also suggest the backlash from breaches in data privacy would be much larger than from fiddling emissions tests (as evil as the latter was, it actually saved many customers money on a (more polluting) car with higher performance).
https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal#O...
> After news broke out of Volkswagen cheating on diesel emissions, multiple other vehicle manufacturers got caught falsifying emissions data, as well as exceeding legal emission limits. This uncovered a greater industry-wide issue that goes far beyond only Volkswagen Group.
> To them it's still a cost/benefit analysis, and history has shown short term benefit trumps many other things for these companies.
Doesn't that depend on the company though? Not all companies are focused in the same amount on short vs long term benefits.
There are costs of not following the regulation (example, did not check in detail: https://www.enforcementtracker.com/) and I do not hear (media, social network, etc.) anybody complaining about fines so I think it will just continue ad hopefully will change their opinion at some point.
Yes.
Or, more succinctly - they are likely following the law but have figured out a way to avoid it as written using consumer opt-in and dark patterns.
You call it FUD, but this is hacker news and with overwhelming incentives it is not unreasonable to ask for verification that data isn’t being exfiltrated.
[flagged]
I guess we'll just sit on our hands and do nothing, then.
> Government leaders will never give up their pipeline of knowing everything about everyone.
Then let us hire different leaders into government. Public servants, not overlords.
If you have noticed, every independent candidate almost never gets elected. Vast majority of those who say they will "change the country to the better" either never get elected or are ousted early on. And those who stay change their tune.
I fear that only blackmail-able people with the potential to win elections, get the support, so that they are beholden to someone who ultimately gives them the job (e.g. funding their campaign) and has to return the favor x10 when elected, so promises go out the window and new reality sets in.
Someone tried to create an entirely new country with minimal governance by dumping sand on a submerged reef until it became an island[]. Even then it was quickly co-opted by the nearing statist powers (Tonga) with the blessing of western powers.
So it's not just that the primary process will crush anyone who will seriously roll back government powers. They won't even let anyone peacefully create an entirely new fucking island to try and get away from the tyrants and do it while leaving everyone else alone and not messing with the powers that be.
[] https://en.wikipedia.org/wiki/Republic_of_Minerva
Isn't that the libertarian paradox in a nutshell, the entire reason why "government" exists? Because in reality, the alternative is "might makes right" and a larger, stronger group will band together and steamroll the smaller and uncoordinated individuals?
Government is might makes right, just with a nice name slapped on it. Minerva was minarchist, not anarchist, but for whatever reason they chose not to defend their country by force. Somaliland and the remains of Rojava come to mind as present-day ~minarchist governments that defended their territory by force and ~succeeded. The point being is these kind of changes won't be allowed by election or peacefully. The primaries stop the election process and the militaries stop the peaceful separation process.
America did have a period of relatively small government intervention at the beginning, but that took a war with Britain. It also had some periods of it during the pre-founding (some of 1600s Pennsylvania and Rhode Island while Britain was occupied elsewhere). Pennsylvania (before it was a state) in particular was basically straight up anarchist for I want to say, about 20 years.
> but for whatever reason they chose not to defend their country by force
When forced off the reef, the founders went back to places like Australia, Manhattan, and London with considerable wealth. Pretty easy to see why that was preferable to possibly dying by firing on the armed forces of another country.
Somaliland and Rojava don't have that option.
> relatively small government intervention at the beginning,
Yes, the women, slaves, non-land-owners and native Americans all loved that phase! It was paradise on earth and the embodiment of the eternal liberty to which all (*) humans are entitled.
(*) your experience may vary, depending on your membership of various demographics. Some restrictions apply. Please see package for details.
Thank god you mentioned that. You foiled my diabolical plan of introducing slavery as utopia, as clearly imposing slavery is a way to shrink government intervention. No mention of early USA is complete without damning any experiences drawn on it because muh racism/sexism. Nevermind that whittling down to even that point took a war with Britain, which was relatively more free than before when yet still slavery and Indian slaughter was still happening.
Thank god you responded. You have effectively disarmed my diabolical plan of refuting the idea that early American history was some sort of libertarian paradise, by pointing out that I have used the old canard of slavery as if it, by itself, could invalidate the many good things that came from the early, limited form of government.
I have no option other than to lay down my intellectual tools before you and declare you the winner of this battle of the ages. I am humbled by my idiocy in even bringing up the fundamental economic engine of the early American republic, as if it actually mattered at all in the face of the noble, if perhaps a little selfish, goals of those proud young Americans.
I would say relatively true of the southern colonies. New England, slavery import was banned rapidly, slavery itself banned fairly early (some states almost immediately) and it was arguably never a load bearing pillar. Virginia in particular and the southern colonies only avoided starvation by stumbling on tobacco.
I'd also note slavery was also influenced by how land distribution happened in the colonial era. Lands dispersed under more feudal models lent themselves more to slavery and indentured servitude. Lands that for various reasons that were rapidly sold were more likely to end in the hands of small holders without slaves or fewer slaves.
I've read Graeber/Wengrow. Any new recommendations?
Hierarchical power conflicts with servitude
Its quite easily solved. Stop buying them. There's lots of cars out there that don't have these fun features. Buy them.
> your CC payments help track
Not only that. Them and the point-of-sale vendors (aptly shortened PoS), sell that data. They tend to attempt to do this anonymized. How successful they are in anonymizing that is very much so up for debate.
The websites (and even their retail locations) you buy from send your purchase data to meta and other advertisers directly via APIs so they can better track their marketing conversion rates. You can browse their APIs [1][2] to see what kind of data they like to get, but it tends to be every piece of identification they have on you. Rewards programs make this a much richer data set. You don't need to be a user of Google/Meta for them to build a marketing profile based on this. Google links your physical conversion from ads based on your maps data. Facebook does the same if you give them your location data. Many retailers attempt to use the bluetooth/wifi signals from your phone to track the same data even if you pay in cash [3].
There's no legal framework preventing this outside of the EU and California.
1: https://developers.facebook.com/documentation/ads-commerce/c... 2: https://developers.google.com/google-ads/api/docs/conversion... 3: https://www.nytimes.com/interactive/2019/06/14/opinion/bluet...
> They tend to attempt to do this anonymized. How successful they are in anonymizing that is very much so up for debate.
Yeah I think the big thing to push or talk about is that there is no such thing as "anonymized".
There's only such as a thing as "can only be identified as X many people". Like for a given dataset you can make any data point correlated to 1 of say 50 people. If somebody is anonymizing data and they don't provide a k-anonmizity [1] you should just assume it's 1:1 and effectively not anonmized.
[1]: https://en.wikipedia.org/wiki/K-anonymity
K-Anonymity isn't the only technique. Differential Privacy is arguably more robust.
> They tend to attempt to do this anonymized. How successful they are in anonymizing that is very much so up for debate.
In the good old days, if you were found to be informing on your neighbors to hostile powers, you were liable to find yourself in a mass grave when the political winds shifted, or even sooner.
But now it's so convenient and discreet and common, we think nothing of it. Plus, Google and Apple and Facebook and their partners and everyone they sell data to are our friends, not enemies :)
True, but we must not let the perfect be the enemy of the good. I don't own a smartphone, so neither google nor apple track anything about me that way. I leave my dumbphone at home when I'm out and about, so it basically works like a traditional landline phone, again, no data there (except for phone calls and textmessages of course).
My car is old, so no gps/trackers there, but this is troubling of course. I think that if/when I buy a new one, it has to be either some vintage car, or I have to find a workshop who can rip out all the tracking.
CC payments can be mitigated by paying cash, when available. But yes, CC and bank are a concern and so is CCTV.
Nonetheless I'll still try to maintain what privacy I can.
You do you, John C. Calhoun of Minerva Road, Springfield, CO.
An agent will be shortly with you to assist in that endeavor.
> An agent will be shortly with you to assist in that endeavor.
In some parts of the world that's a death sentence for the target. In other parts, it's one for the agent.
Oh, please. We're not cavemen here. A little coaching on internet best practices, a dash of psychological assistance, perhaps a girl scout cookie or two ...
A friend used to work in ad tech years ago. The telecoms sell real time location data to digital billboard companies which are targeted at whoever is nearby. It's basically minority report. I can definitely imagine they're now using visual processing and face recognition on the billboards.
> And once you've gotten rid of Google and Apple, your telecom company tracks you, your CC payments help track you and even cameras in public do.
Maybe, but what happens without the mod described is that Google and Apple track you in addition to the telecom company. That, of course, assumes that you carry a cell phone tied to your identity. Some people refuse to carry cell phones altogether because of the privacy implications, or use them mostly in airplane mode with an anonymous SIM for backup.
It’s still worth minimising how many companies get your data, and minimising the data itself. I’m not sure what data Apple and Google get specifically out of their car thingies, but it’s very easy to avoid using their car thingie.
I use a googleless flip phone and just don't do anything important on it, and leave it behind often. We didn't always carry tracking devices with us, you can choose not to.
You can also buy an older car that doesn't come with a SIM card installed.
This is the way! But note that telcos are working hard to ban dumbphones from their networks. There is a clear push to force people to dump dumbphones and accept the digital surveillane device.
Should that happen, I will move to a VoIP provider. Not perfect, but better than a smartphone.
At least you can shut your cellphone off and pay in cash.
Exactly, and more and more places are removing cash as a payment option :(
Cash handling isn't free, and for smaller businesses might actually end up being more expensive than accepting electronic payments.
If your margins are so razor thin that the cost of handling cash is significant, you need to raise your prices. Cash is legal tender -- not accepting it for in-person transactions is really shitty (maybe shouldn't be allowed?)
> you need to raise your prices.
And if the competitor doesn't? Ouch.
I think there should be a "digital equivalency act" or something to hamper full digital capture, but my feelings aside, there's a few powers that dislike cash:
Free people like cash, but businesses with low-skill/low-trust workers dislike cash because despite the CC fees, there is less theft, less overhead with cash reconciliation, cameras to watch cash with, less safes to manage, less cash pickup services.
The IRS hates it because there is a cash industry (as there should be, imo, but I'm injecting too much opinion already) that doesn't report earnings. I personally know barbers, housecleaners, handymen that admit to reporting no or few earnings, and synthesize a living off cash and benefits. If you stop paying taxes, this actually works pretty well compared to a low-end tax-paying job. My housecleaner takes overseas vacations (like, thrifty ones in hostels) 2-3 times a year this way.
Banks (arguably the IRS again, deputizing them with KYC) squint at you when you deposit or withdraw significant cash - ask any weed industry participants. Untrackable currency is a natural catch-all for people they don't want to bank with, so it's just friction and headache naturally.
You can't even get coins counted for free at retail banks anymore. Cash handling is too expensive even for the place that ostensibly provides cash handling services to the general public.
Just make all your prices round up to the nearest dollar bill after tax. Eliminate coins at the source.
"Legal tender" only means it must be accepted to settle a debt.
Walking out of the store with groceries generates a debt, no?
I believe that's more likely to generate a criminal charge
You're being more literal than I was. My point was that "a debt" is a broader concept than the GP comment acknowledges. A debt is incurred any time you propose or agree to buy something. And legal tender is the way you settle it.
Then how about paying after ordering and eating a meal?
Depends.
If there was a posted notice that no cash is accepted it's unlikely you'll get a criminal charge, but you can get civilly sued. Most places will just accept the cash then put up a picture saying "If this asshole shows up again, trespass him"
No, eating food & then paying is a debt. After the services have been rendered. If seller can pull back the items, never provided the service, no debt.
You can't go into a store with a gun and demand the cash out of the register if there is no cash.
The actual cost is shrinkage from general human accounting mistakes and all the extra time it takes to manage.
I worked at the gym in college and we sold like one item a day and it was still a whole bunch of work and pain to keep up on the cash counts correct.
I definitely believe that all businesses should take cash as much as is reasonable, but logistically it is understandable why some choose not to
You shouldn't do that anyway; also, you can't skim a credit card I'm not using/carrying. There are crime arguments on both sides.
It's not about "just raise prices", it's about some industries (e.g. upstart restaurants) that already have massive failure rates and have hyper competition. Even airlines don't make money on flights, and instead only on selling credits cards or other perks.
If your operating costs are some percentage higher for accepting cash versus the coffee shop across the street that doesn't, you're more likely to fail.
If everyone has to accept cash, then everyone has the same costs and the point is moot. At any rate, courts are required to accept legal tender, and I think that requirement ought to extend to businesses as well.
> At any rate, courts are required to accept legal tender
Assuming you’re talking about the US here: there is no such requirement, at least not at the federal level. Individual states may have their own laws, but see for example this notice [0] from a Texas federal court that they will no longer accept cash as of May 21, 2021.
[0] https://www.txnb.uscourts.gov/news/notice-court-will-no-long...
The real problem for those businesses is way upstream of payment processing costs, namely in the cost of business loans, the general poverty of the American consumer, and (for brick-and-mortars) zoning. The latter is a matter of getting municipalities to relax restrictions put in place mid-century literally to support segregation, and the former two are a matter of forcing the wealthy to eat the costs of their poor decisions from the last few decades, rather than continuing to allow them to socialize related losses through avenues like scandalously low labor pay vis a vis productivity and various investment/asset market scams (which, through housing and passive retirement investment, they've roped in Boomers and older Gen-Xers).
If you wish to make an apple pie shop from scratch, you must first invent an economy that isn't hamstrung by legacy obligations from ventures that people who are long-dead somehow were allowed to finance with your paycheck. (Somewhere, a middle-aged nepo-baby is clutching her pearls at the thought, and I just think we should cherish, rather than shy from, the opportunity to throw her and her siblings under the bus.)
Handling cash isn't free, but $0.30 + 3% or whatever is also a significant distance from free.
RE .... company tracks you ..... [ somewhat off topis ]
Did you know ... in many countries government tracks car number plates and the data is stored for many years.
1987 4runner, no phone, use cash.
I have heard whispers at times that people who operate 'off grid' like this end up being viewed heavily as persons of interest.
Anecdotally via friends in law enforcement.
I live in Idaho so I don't think that's much of an issue.
Perhaps it's time to give up some convenience for old ways, eh?
[dead]
Is there any information about precisely what vehicle telemetry they capture and retain?
I know the laws are far from perfect, but isn't there some legislation compelling them to disclose what they collect?
What specifically would be the most relevant law/regulation? (If it varies by geography, pick any major market, eg. California, that is big enough to impact their engineering design and the content of published material). You mentioned they're cagey, and my aim is to examine if there's a gap between what they're supposed to disclose and what they do, which could be rectified by litigation. Eg. If they just say "vehicle telemetry" that doesn't tell you much, and I'd happily contribute to an EFF effort to get them to elaborate.
Alternatively someone who works close to this code could provide some examples of what a "typical" smartphone OS platform collects these days.
GDPR should work to get a copy of the data, also it would only be allowed to be collected with explicit permission -- I'm assuming that data about your car is PII about you.
Generally speaking the author seems to wave a bunch of conspiracies around without the evidence to support it, or frankly, much technical knowledge.
The author seems unaware that in iOS you can uncheck nearly every single location usage the OS and Apple Apps themselves collect.
On iOS not only can you shut off things like traffic reporting while using Maps and cellular/WiFI/Bluetooth data collection...unlike Google, Apple will let you use those services without requiring you contribute to them.
> the author seems to wave a bunch of conspiracies around without the evidence to support it
The author provides links at the top to credible reporting on relatively well-known privacy concerns.
> They are both very cagey with how they talk about this (or don't).
No, not really - at least not apple. They are very clear on what CarPlay’s privacy stance is, and they’ve got privacy white papers on pretty much everything:
Eg. https://www.apple.com/privacy/docs/Location_Services_White_P...
Again, at least on the apple front this comes off as a ton of “stated without evidence “
What does a user see when enabling CarPlay on their iPhone, and not browsing apple.com for random .pdfs?
You need GrapheneOS to sever the link to Google. You can also deny specify apps and services Internet access.
Is android auto still available with Graphene? AA is genuinely one of the few life-changing features introduced in the last decade that I'd prefer not to go without.
Mostly works, some stuff doesn't. The worst thing that doesn't work is alternative maps (e.g. OsmAnd).
Yep and works flawlessly via USB for me. That was a deal breaker for me for the longest time too.
Allowing it to connect over Bluetooth requires granting AA plenty of additional permissions which I didn't want to do (but hey, on GOS at least you can muzzle that thing).
I like the idea of graphene, but I worry my banking / brokerage apps wouldn't work anymore and that'd be a deal breaker
The Graphene community maintains a list of compatible banking apps.
Another possibility is to keep an old/cheap, stock Android phone at home with WiFi only for apps like this.
Doesn’t that defeat the point of using an app at all? Use a computer at that point.
Standard Carplay is essentially an additional screen for your phone - your existiing privacy settings carry across. What's your concern?
Unfortunately that's not quite true, since the "app screen" on the media display during Android Auto use has an additional "Toyota" icon that AFAIK isn't coming from my phone.
What's more concerning is that it's entirely unclear exactly what information is shared over the Android Auto link, in my case, over Bluetooth.
There's a protobuf-based API for two-way communication between the Android Auto app and the head unit [0]. It depends on what the headunit supports, but this includes data such as GPS location, steering wheel button activation, accelerometer data, parking brake activation, gear selection, touch screen input, dimmer switch position, odometer, and much more.
A lot of this has obvious use within the AA interface; for example, the parking brake position is used to prevent scrolling too far through lists, and the car's GPS is usually much more accurate than the phone's and better on the phone battery.
0: https://github.com/f1xpl/aasdk/tree/development/aasdk_proto (pretty old reverse-engineering effort)
One of the things I notice CarPlay has access to is the fan speed. In one of my vehicles, when I say “hey siri” it turns the HVAC fan down so it can hear me better. I’ve always wondered if the interface is the phone telling the car “hey make things quieter” or if it’s explicitly turning the fan down. It’s also interesting that this only happens in one of my cars. I assume it’s because the other car is a higher end vehicle and has a quieter fan.
In GM cars (as observed in my last few), the logic is in the head unit: "mic on -> hvac lower", while "hotword detect" uses a different "mic on" method that does not
EDIT, previously "does not" above said "doe snot", which explains the reply below
I'm sure it's not great, but deer mucus is a bit of an extreme description.
I appreciate this comment, FWIW.
I never learned to properly touch type, i have my own method, somehow, which uses two fingers of the left hand and three of the right. Spacebar being pressed too soon or too late is, sadly, common :(
Proper touch typing doesn't fix that issue.
That icon is a "close Carplay/Auto" button. My Subaru has a Subaru button; my wife's Mazda has a Mazda button.
>if you connect your phone to the car via Bluetooth then the car will use your phone as an internet connection and send all the same telemetry data back to Toyota
Source? Can bluetooth devices do that without the user's knowledge?
I assume that the original article statement is referring to connecting to CarPlay/Android Auto wirelessly, not simply connecting via Bluetooth for a speaker-type setup. But I do not know that this is the case. Certainly, I would assume all privacy bets are off if you connect CarPlay/Android Auto in any manner.
> then the car will use your phone as an internet connection and send all the same telemetry data back to Toyota
How?
They are probably confusing google auto with bluetooth.
On Android there is an option called "Bluetooth tethering - Share phone's internet connection via Bluetooth" . If it is On and you are connected to the car's bluetooth it will have internet access via your phone.
That's Bluetooth PAN. I would be very surprised that a car will implement this profile.
I have a 2025 Renault 4 etech and I frequently enable bluetooth thethering so I can access Spotify, HBO etc via the in car entertainment system (It runs a flavour of Android called OpenR Link) , not via android auto. Though I frequently need to enable the bluetooth tethering setting on the phone before the profile can be activated via the cars paired devices menu (where you can select other profiles such as Audio, calling, etc)
While the car has a sim card already, I can't use it for general purpose apps without a subscription. Only updates, remote control and I suppose telemetry.
I usually opt for choosing a bluetooth tether instead of wifi since I already establish a connection for calls, or music / audio books.
It isn't hard to imagine Android being able to transmit vehicle telemetry via the same means.
I'm suspicious that the car's system can do this. I don't think we should be assuming your car can tether internet through bluetooth until we see someone snoop Toyota-bound traffic being routed through their phone.
A 12v bluetooth to FM transmitter can at least give you tunes and a speaker phone feature.
In a perfect world they wouldn't collect it either, but I'd rather Apple have it than the car manufacturer (or rather, only Apple vs both Apple and the car manufacturer)
I use android auto through grapheneos thankfully! this is crazy!
this sounds like donning a TNT vest to diffuse a bomb
Can you clarify? Does it feed it bullshit data? Because android auto expects car telemetry data which it streams to Google's servers. Which is a big no-no for me for obvious reasons.
It doesn't stop Android Auto from doing whatever with the car data, but it's sandboxed to have no more default privileges than a regular app, so it can be denied access to your phone's data by default (apps, contacts, etc.). Wireless AA will only work if you grant it extra privileges; wired AA does not need them.
You can also "firewall" AA via something like TrackerControl, this would let you block connections to eg. Google Analytics servers without denying network access altogether (which would likely cause AA to stop working). I've only used AA with short-term rentals so I didn't spend too much time exploring these options.
tracker control will be itself blocked by android auto, with a stonewall error DISABLE VPN TO USE ANDROID AUTO
not sure if this was caused by an OS update or an AA update because im certain it used to work fine
(not graphene, but friends otherwise stock samsung android)
Fair enough. Streaming my location and an OBD dump to Google whenever I'm driving is a non-starter for me, so I'll stick with the aux cord!
> The problem with this is that both carplay and android auto capture their own vehicle telemetry. So even though the car is not able to use your phone as a general data pipe, Google and Apple still get access to this data when you're connected.
Do you have evidence or a citation for this? Or is it just the sort of statement that’s made in the pretty certain expectation of upvotes on HN?
I would have liked to have seen this citation too instead of seeing you get downvoted.
What about if it's just paired as an audio device rather than through an app?
Don't get CarPlay/Android Auto that way though, so no navigation/maps for example.
Sure -- I'm not asking a general question, but thinking about my wife's phone, which is paired as an audio device. It sounds like we're probably in good shape.
Are there any cars that support CarPlay/Android Auto that don't have built-in navigation/maps?
AFAIK, every single one of those "built-in navigation/maps" either require the car itself is internet connected (with its own modem), or that you every year get a SD card with map updates to stick into the car.
I guess it's fine in an emergency, but I wouldn't want to use it day-by-day, the live traffic/road closure information in my case ends up saving us tons of time over the year.
It is also OK if you only use GPS 3 times per year.
Mine is from 2013. There is no longer map updates for the built in nav system.
So I bought an Android auto / Car play module that integrates with the car touch screen. Now I have up to date maps and navigation for ever. :)
My 2019 Subaru legacy supports auto and does not have built in navigation. The aftermarket dashboard display in my 2011 Ford ranger also supports android auto but has no built in GPS.
Mine (a US 2017 subaru impreza) supports both and doesn't have built-in navigation/maps.
Yes. I can't remember which cars (some base-model Hyundais I think) but I know I've rented a few that did have Android Auto but did not have any navigation included.
I trust Apple more than I trust Toyota.
You shouldn’t. Apple preserves backdoors in iCloud encryption to enable warrantless government surveillance. They have no other option.
It's weird to hang up on this specific item because they do actually offer an E2EE icloud option. Lose your key: lose your data.
https://support.apple.com/en-us/108756
Nobody has it on, and unless BOTH sides are using it, your iMessage conversations are all readable by Apple, because they are backed up twice - one for each end.
This option is also disabled in the UK - an intentionally preserved backdoor for government access.
https://support.apple.com/en-gb/122234
Okay fine but I use it and so does everyone in my immediate family and we're not in the UK. So... you're wrong.
Yeah, but at least for now they don’t have the power to remotely disable my car or jack up my insurance prices and I trust Apple 1000% more than any of the other random car companies do not sell my data.
> then the car will use your phone as an internet connection and send all the same telemetry data back to Toyota [...] so I exclusively use CarPlay via USB.
I would be concerned that a passenger connecting their phone to it while I was driving.
In other cars I've been successful picking up the relevant modules for peanuts from surplus/scrap then just desoldering the RF-active components (like bt radios, etc) and swapping them in. YMMV but if it doesn't work you're just out the cost of a junk part.
Even if some radio feature is benign its existence means that its hard to be confident that there isn't some other telemetry feature you missed. With no connectivity at all you don't need to worry that you missed something because you can monitor the car with a spectrum analyzer and observe its never transmitting.
Unfortunately in some newer cars you can't swap any modules without a dealer tool to pair the module to the car, presumably in a bid to prevent third parties from fixing the car (presumably preventing people from lobotomizing their surveillance isn't on their radar yet).
They are cagey because they get nearly $100k upfront with crazy interest rates, and then they make a ton of money through their spyware.
Honest question: what do you mean?
You pay inflated prices for the car and then they still steal and sell your data. This isn't hard to understand, same thing smart TV mfg do.
$100k is in Canadian dollars? I just added almost every accessory/package and option to the the 2026 GR Sport Plug-in Hybrid RAV4, and it came out to $55,821. If there were options that were nearly identical, I only added the most expensive one. So I only added one hammock ($340) and one of the Pelican Dayventure Backpack Cooler ($301). This includes the dog first-aid kit, and the human first-aid kit. Maybe all the options will come through this link:
https://www.toyota.com/configurator/build/step/summary/year/...
...maybe there is a lot of dealer markup in your area?
I think you mean "subsidized" instead of "inflated".
No, they meant inflated. Cars are quite expensive right now, and dealers are notorious for raking in cash through financing. If they were subsidized, prices would be lower to increase user base, as in the aforementioned dynamic present in the current smart TV market.
I think the inital point was that car manufacturers/dealers are double dipping through initial cost/interest AND data harvesting.
Both an high end tv or a car are expensive items where the manufacturer shouldn’t be making additional income on your personal data.
A free 55 inch tv supported by ads would be subsidized. A big ticket item price likely does not change even if it intrudes on your privacy and the manufacturer makes additional income on your data. In that sense it’s not subsidized it’s just greedy business practices.
I haven't had any insight into the industry lately, but did work for a company in that space several years ago.
Most (all?) ordinary TVs, plus things like Roku streaming devices, are sold essentially at-cost. The profit comes from ads and information-brokering stuff. This makes it basically impossible to break into the market without doing the same thing.
What you describe is a business decision.
Different products exist at different price points to cater to different customers.
If you want to sell a subsidized product with the implication that there will be ads, that’s one business strategy, but to say that it’s not viable to have a higher end product that will not sell the user data because it’s not commercially viable is something I’ll have disagree with.
Computer monitors with no smart features wouldn’t viable if that was the case.
It’s a business decision, but one of the options won’t move enough units to keep Wal-Mart and Target and Costco and Best Buy using shelf space for your product, and the other might.