General Motors Is Banned from Selling Driving Behavior Data for 5 Years
191 comments
·January 17, 2025pards
diggan
> What can be done about this as a consumer looking to buy a new car?
For a consumer in the US, I have no idea, but I'm guessing your question is about that since the story is US-specific?
Probably off-topic, but buying a car in 2019 in Spain, they asked me if I'm OK with data-collection during the purchase, up until car delivery, and handed me a contract to sign for "treatment of personal data". I said no, we moved on.
After buying the car (2018 Audi A3), they threw in some remote-monitoring sensor "for free" that could let me/them see metrics about the car, for "maintenance" and whatever they claimed, that they offered to install. I again said "no", but kept the device itself to pick apart at some later time.
But overall, they seem required to ask (here, EU) but no one batted an eye when I said no. The car has a SIM-card reader, but never used it, I'm guessing if I install a SIM-card the car would ask me if data collection is OK, because we'll always have the choice at least.
Electric cars seems like a no-no for now (everywhere possibly), since all of them came with a "always on connection" regardless of what I want, at least last time I checked.
extraduder_ire
For a few years now, every new car sold in the EU needs a cellular connection for e-call (when airbags are deployed, the car calls 112 itself) functionality. I don't know if it's legal or common to reuse that radio for collecting other data. I would hope not.
diggan
> For a few years now, every new car sold in the EU needs a cellular connection for e-call
Damn, that sucks. Hope my current car lasts a long time then... It even has buttons and everything.
> I don't know if it's legal or common to reuse that radio for collecting other data. I would hope not
My guess would be that when you first get it/boot it, you'll at least get a choice between accepting it or not, that would be the baseline.
hnpolicestate
Sometimes I feel bad for repeating myself but relevant threads keep appearing.
Mazda won't permit me to use remote start because I refused to install their app and enable connected services. The man I worked with on the lease was extraordinarily aggressive with me. Almost demanding I install and register this app to complete lease agreement.
So now I don't have remote start and every time I turn the car on I have to select cancel on an infotainment prompt asking me to enable connected services.
The TOS specifically says driving data will be sold to 3rd parties including law enforcement and insurance companies.
emeril
I had a similar experience with a Mazda lease
I never installed the app and I was asked to by the leasing guy though he wasn't pushy about it - for whatever reason, the lease/sales guys are incented to have it installed though, allegedly, mazda corporate says they don't incent them - I don't trust it
also, allegedly, since I didn't install it, mazda says my TPU is disabled which is fine by me - remote start is less important than saying many thousands of dollars on bogus insurance hikes
clejack
I didn't work for Mazda, but I did work for a large auto manufacturer, and I can tell you we did incentivize dealers to complete sign up for connected services for the reasons most of you would probably expect.
We wanted to collect your data to sell it, utilize it for maintenance, or for general product improvement. I.e. wanted it so we could make or save money. No surprise there I hope.
The dealer incentive was literally a payment when a customer signs up because the money we'd make with customer data outweighs the dealer kickback.
pards
> The TOS specifically says driving data will be sold to 3rd parties including law enforcement and insurance companies.
That's awful, but at least it was written down, I guess.
That'd be a hard "No" for me. Or at least I'd ask for a big chunk of that revenue in exchange for MY data.
acuozzo
> Almost demanding I install and register this app to complete lease agreement.
I wonder how he would react if you were to tell him that you don't own or use a cellular phone.
hn1986
Unfortunately, a car like Tesla collects so much data. And it's only a matter of time before they start selling it. I don't know if any other car company that collects more data than Tesla.
Schiendelman
Tesla also states unequivocally that they do not sell user data: https://www.tesla.com/support/privacy
diggan
Tesla state they don't sell "personal information" but they also explicitly say that "Tesla may also collect, use, and share information that does not, on its own, personally identify you" (so "anonymized" data) and also that "personal information" is subject to be processed to "fulfill contractual obligations with third parties, agents and affiliates", whatever that means. https://www.tesla.com/legal/privacy#how-we-may-use-your-info...
autoexec
Employees are also sharing videos and photos of people in/around their cars with each other and I'm sure they end up in the hands of friends/family members as well. https://www.reuters.com/technology/tesla-workers-shared-sens...
finnthehuman
Any unfaltering language a company uses is always one bizdev meeting away from "lol just update the contract of adhesion."
ripply
Tesla states a lot of things, like that their second generation 2020 roadster is going to be ready next year (tm). I wouldn't put a lot of faith in anything they say, all it takes is Musk changing his mind down the line and then anything goes.
whamlastxmas
I think I’d pick Tesla, even if it’s more data, because they have never sold that data or indicated they ever would. Unlike literally every other manufacturer that has and does
floatrock
lol has any OEM ever indicated they would sell data? Or was the truth pulled out of them after an extended legal fight where lawyers quibbled over whether weasel-words like "maintenance and quality assurance purposes" covered "selling technically anonymous information to a data broker but everyone knows there's enough metadata in there that the data broker attaches an identity when they resell it to the insurance companies"?
Gut check, sure, but I wouldn't trust the company that argued technically autopilot wasn't turned on in car crashes because they turned it off milliseconds before the sensed impact and blamed it on driver inattention as being a good, well-intentioned data steward.
mikestew
I bought a Hyundai Ioniq 5. Hyundai never indicated that they’d sell the data, either. But guess what?
Here’s one thing neither Tesla nor Hyundai have ever said: that they won’t sell the data. (EDIT: I stand corrected on Tesla, as per reply comment. “ We do not sell your personal information to anyone for any purpose, period.”)
hulitu
> because they have never sold that data or indicated they ever would.
They all do this until you press "I agree". Some do it even before.
MetaWhirledPeas
I agree if only because Tesla seems so vertically integrated and dedicated to their vision. Nowhere in their vision is "establish a side hustle of selling user data for extra cash".
ActionHank
"I'd pick Tesla because they're pretty cool guy and don't afraid of anything."
acuozzo
> Can I corrupt data transmission and collection?
In my 2018 Chevy Volt Premier it's not too difficult to disconnect the LTE module. You lose OnStar, remote start, and other "connected" features, but the car and CarPlay still work.
https://www.jamesxli.com/2024/chevy-volt-disable-cellular.ht...
FollowingTheDao
I own a 2001 Dodge Grand Caravan. No tracking. Runs Great. I just keep fixing it, much cheaper than a new car. Plus I can live in it as well.
I do not know the year they started with all the tracking stuff but you can find an older car that does not have any tracking and spend the rest of the money making it mint.
There is no getting away from it though, we are all watched over by the machines of loving grace. You know with the new LoRaWAN and IoT everywhere scam they are rolling out there will be nothing you can do to escape the surveillance apparatus.
I am giving up. no sense in fighting it anymore. I am just a good little corporate boy toy now.
14
That is one of the worst cars to own. You will continue to fix it more frequently at an accelerated rate mark my words. So much cheap plastic parts the parts are right at that point where they will fail molecularly and you see an increased rate of failure. To top it off the replacement parts are mostly the same age and those 2 will look new but also fail quickly. Lastly Dodge sucks. They are basically the last car I would ever buy.
pards
This might be the way forward - buy a well-built older car and learn to DIY basic maintenance and repairs.
mmooss
> there will be nothing you can do
That makes it much easier for people to collect data. People read on the Internet, yet again, that they are powerless.
NotYourLawyer
Research the car ahead of time and figure out how to disconnect the telematics control unit (or whatever that manufacturer calls it).
tomrod
I am deeply interested in better understanding faraday cages that can block transmission.
hulitu
> I am deeply interested in better understanding faraday cages that can block transmission.
You cannot shield your car (ok, you can, but then you cannot drive it). What you can do is disturb the antenna so not enough power will be available to be sent.
diggan
Quick search seems to reveal Indium Tin Oxide (ITO) coated glass is transparent enough to let through visible light, but blocks transmissions. One could theoretically build a car with that for the windows. The rest seems easier.
LeftHandPath
My plan is to buy an old 1960-1970 280SL (or, really, any somewhat reliable vintage car) and stubbornly refuse to drive anything else.
diggan
There are more recent cars than going back to the 70s that doesn't force data collection on you... My car is from 2018 and has none of that stuff, and it even has buttons for all controls, no touchscreen (2018 Audi A3).
I like the feel of driving classic/older cars, but I really cannot justify the safety and pollution drawbacks if I wanted to use them daily.
LeftHandPath
For sure. I just really like the SL!
Currently have a 2012 C350 Coupe that I love to death. Have had it since 2018. Fantastic car, I don’t think it spies on me too much
autoexec
More recent cars probably have onstar systems installed that need to be removed.
tomrod
What do you recommend? I thought everything 2015 forward collected data.
mmooss
I don't understand the FTC. Why and how did they start protecting consumer privacy? Could they have done it before? Do they have an overall systematic plan for protecting it comprehensively? Do they have a guiding principle?
I'm glad they are moving forward on it, at least until Monday.
xyst
They don’t give a shit about privacy directly but GM was egregious in collecting this data
- confusing consumers
- sneakily signing up consumers to “smart driver” as part of onstar
- data brokers subsequently building profiles on users and selling this data to _insurance companies_
- consumers later finding out their insurance doesn’t get renewed because of this secret driver profile that was built without their explicit consent
If GM followed the rules by disclosing this directly, allowing consumers to opt out. They probably wouldn’t be in this embarrassing position.
It’s in the FTC release: https://www.ftc.gov/news-events/news/press-releases/2025/01/...
soco
Please allow me to be cynical and see here no embarrassment whatsoever. They cashed on this for years and will surely find other ways (and have some already) to further cash on people. It's only one of the schemes which got foiled, and only for a while. Yes, I have zero trust and the presumption is of guilt.
infecto
Did they really "cash" in on it? When I saw the prior articles on GM it sounded like a very minor revenue stream that did not scratch their overall revenue from vehicle sales.
null
ycombinatrix
Lmao. They were too cartoonish in their villainous behavior.
mrguyorama
It's surprising since usually nowadays that gets you a cabinet position or a seat in the House.
diggan
> They don’t give a shit about privacy directly
But then this submission is explicitly about them giving a shit, and your own example shows that they do give a shit. Since GM didn't allow people a choice regarding their privacy, FTC looked into it?
I really don't understand how someone can see this story about FTC giving a shit, and then proclaim "They don't give a shit". If they didn't give a shit, why do something?
FollowingTheDao
If they gave a shit they would ban it from all cars and not let the automakers hide it with dark patterns.
kevingadd
This is largely the work of Lina Khan and the people reporting to her. She's fairly new to the FTC still (Biden appointee) and has been intentionally pushing on all of this.
Protecting it is difficult since the house/senate and scotus are all determined to roll back pro-consumer laws but that's not really something the FTC can fix, only voters can fix that.
Voters don't seem to see these things as important though based on how they voted most recently. They have other priorities I suppose.
johnnyanmac
I'll be generous and say that voters are distracted by other things. easy unsubscribe is great, but it's never going to win an election.
I'll also be cynical and say that voters were also lacking critical thinking in terms of how the president elect simply said he'd do things with no action plan behind it. He already went back on several "promises" even before properly stepping in as President. This is just shame on us at this point.
robertlagrant
> Voters don't seem to see these things as important though based on how they voted most recently. They have other priorities I suppose.
This is why saying "but you can elect new officials" is a canard. You only have two choices, each with thousands of consequences.
sapphicsnail
Harris wouldn't even commit to keeping Lina Khan on.
null
input_sh
Lina Khan deserves all the praise and then some.
Banning non-competes, preventing Microsoft-Blizzard merger (amongst many others), enforcing the right-to-repair, filing lawsuits to lower drug prices, making cancelling subscriptions easier...
Your friendly reminder that both Amazon and Meta were openly against her taking the position, that the upcoming administration will scrap the antitrust lawsuits against both of them (the one against Meta was supposed to start in spring, the one against Amazon in 2026) and that this is why Bezos and Zuckerberg are cozying up to Trump.
9283409232
She did not prevent the Microsoft-Blizzard merger. The FTC lost that case.
tehjoker
[flagged]
AndyNemmity
[flagged]
EVa5I7bHFq9mnYK
How about monetary compensation? People lost real money, damages can be calculated.
After all, if I installed spying software on GM's computers, and sold the extracted data to, say, Toyota, I'd face hefty fines. And spend time in prison.
diggan
> After all, if I installed spying software on GM's computers, and sold the extracted data to, say, Toyota, I'd face hefty fines. And spend time in prison.
You're going about this all wrong. Setup a company, create a landing page and do some B2B contracts for selling that data, and you too can be a "Data Broker" fully legally. But yes, approaching this as an individual is most likely illegal, you're supposed to do it as a corporation.
throwup238
IANAL but you’ll want a cofounder. Piercing the veil is a lot easier with a single founder company.
xyst
Probably a class action lawsuit in the future, if one does not already exist.
Jail time? Probably not, we let health insurance companies get away with taking away critical needs from patients and delaying care in the name of delivering shareholder value. The best they get is a slap on the wrist from the government, let alone jail time.
NikkiA
But not if you sold GM software that had a clause deep in the license agreement saying you'd sell the data to Toyota.
Nuzzerino
What if in this case it was about keeping the accident rate low by incentivizing safe driving? Don't know if I agree with them doing it, but it's probably not an argument that any side would win, and we don't even truly know if it would be a negative or a positive for society when looking at it from every angle.
userbinator
but it can still share anonymous data about people’s driving with third parties
Most important part of this IMHO.
null
cameldrv
Yeah and it’s simple to reidentify anonymous location traces. The simplest way is to buy cell phone location data from apps, which is generally intermittent, but even with just 5-6 location/time pairs, you’re going to be able to positively identify someone, with the small caveat that there will be some ambiguity with members of a household that share a car.
robojunkie
Is it anonymous aggregated data or just anonymized data? Anonymized data can easily be de-anonymized, as you stated.
johnisgood
Assuming the worst in these cases is always a good idea.
autoexec
Even aggregated has been and can be de-anonymized
55555
Yeah, super anonymized if only my car leaves from my house every day to go to work and comes back every night...
rcarmo
As an European, this is weird. Just 5 years? Why were they allowed to do this in the first place?
skywhopper
Collecting and selling the data is legal if they give you the chance to opt out. They went out of their way to avoid giving you that chance, and that’s what they got in trouble for. So the five year ban is a penalty for breaking the actual law, which is just that the consumer should have a chance to say no.
bigbacaloa
[dead]
nonrandomstring
Yes I don't understand the "5 Years" part at all.
Either it's illegal or it isn't.
No judge ever says "I ban you from burgling houses for 5 years!", like after 5 years it would be okay again.
robertlagrant
> Either it's illegal or it isn't.
I think: it's illegal without consent. They can't do it for 5 years, even if they got consent, as a punitive measure. After that they will have to seek consent.
diggan
Imagine this:
Security pentester tests someone's website before getting approval/confirmation that this is what the client (who isn't a client yet) wants.
Someone reports that, and judge says "Since you didn't do the pentest the legal way, we're banning you from doing pentests for five years"
After those five years, the pentester can continue doing tests, but legally. The five year ban is not the punishment for doing pentests, but for doing unauthorized pentests.
The analogy here is that data collection/selling is legal, but you have to follow the rules regarding how collection happens. If you break those rules, they'll ban you for N years, after that you can do the collection/selling but following the rules.
ninalanyon
No burglar has the resources of GM.
2024user
Isn't that jail time?
paul7986
Maybe this is well know and this is about auto insurance but mine just went up $50 a month because of a national database about each of our cars ... the tiniest details are recorded into it and all auto insurance companies then use to jack up your current rate. If you try to go elsewhere they point to oh you used your Allstate towing benefit a lot so it's $200 a month vs. $140 (cant get a deal from others). Jiffy Lube enters the frequency of your oil changes and the amount of miles in this database too. If you start a new temp job that's further away then usual and start to have more oil changes your insurance could / will go up cause they see you are driving more then you were. I understand entering my car's accident record into this database but I was surprised the tiniest details are entered into this database and Allstate & Jiffy Lube say they do not sell this data they just enter it into this national database...
ellen364
I'll confess I was sceptical about this but, at minimum, the database seems to exist.
There's a company called Carfax that I'd never heard of. Their EU site seems to provide basic reports about the VIN, whether the car has been written off, etc. Those basic "Is this car sale a scam?" checks are common in the UK.
But the site also makes a big deal about "Get the American report!" So I googled "Carfax oil change" and found people talking about the oil change history in the reports [0]
In the UK it was traditionally common to keep a car log book where you recorded all maintenance and might get the garage to put their stamp on it, to prove to a future buyer that you'd looked after the car. But having a garage enter that info into some random company's database, and maybe not telling me, would be disappointing.
[0] https://www.toyotanation.com/threads/oil-change-history-when...
null
Hizonner
How about a permanent ban from collecting it in the first place? And you can apply that to the rest of them, while you're at it.
> The five-year ban prohibits G.M. from sharing information about individual drivers, but it can still share anonymous data about people’s driving with third parties, such as road safety researchers.
I know Kashmir Hill knows better than to believe in the fairy tale of "anonymous data".
aucisson_masque
Privacy ? But I have nothing to hide.
Everyone has something to hide, be it as simple as your driving behavior, so you don't end up over paying for insurance or even in the situation where all company refuse to insure a 'risky' profile.
mrweasel
There's also things that are private, but not necessarily deeply secret. There's also things that are completely legal, but morally questionable, at least in your social circles, and if that information was to leak out it would be harmful.
With the VW data leak I was pretty horrified that VW either doesn't understand or don't care that leaking location data isn't just privacy invading, it's potentially dangerous for victims of stalking and abuse. In the mildest cases these people may need to move, in the worst they die.
Car companies seem completely oblivious to the dangers of collecting driving data.
soco
Naming this "oblivious" hides ill intent. And by that I mean, I assume they knew and know exactly the possible implications and decided to throw everybody under the bus for shareholder value. Am I wrong to assume this?
mrweasel
Hard to say. I'm sure that in some 100 page report somewhere under the list of concerns is the risk of information leaks and potential damage. Then someone decided that the company just spend $50M on "cyber" and in their summation change the text to "potential risk of data lose is offset by investments in cyber security", then they push the new 40 page up the stack. The security risk is now perceived as low, so it's removed from the executive summary and a 3 page memo on the revenue and share price benefits is created.
I don't think was ever ill intent, but when it inevitably goes wrong, then yes, everyone will be thrown under the bus if it protects the stock price.
ripped_britches
They were trying to warn us by naming it “Smart Driver”. Come on yall.
blackeyeblitzar
For me as a consumer, whether they’re selling it or giving it away for free or expose it via a data breach, the impact on me is the same. All three deserve fines and jail time for executives. It is strange to me that attention is given to this data but not to the leaking of medical records of literally over 100 million Americans by Change Healthcare last year (a subsidiary of United Health). Most of those victims never were customers of Change or United, but somehow their records were with this company.
ksynwa
What I am wondering if to what extent (if any) I can protect myself as an end user from this kind of spying by just not connecting these smart devices to the internet.
A while I read about smart TVs bypassing pihole-style blockers by using hardcoded IP addresses and DNS server addresses.
I don't even know how smart cars work. Do they have their own SIM card or something like that? Either way there are so many ways they can subvert obstacles. For example a car could scan for unprotected WiFi networks and connect to one if found.
lnsru
Every new car has a SIM card. Apparently in Europe used for emergency automatic calls. But having SIM card in the car is not mandatory. All the information in other cases is saved in the car. And when you bring the car to the dealership the information is transferred over the wire in old fashioned way. Safest thing is to have an older car without much electronics, that can be repaired outside dealership network. Some cars like a Teslas have very normal cameras filming interior. Apparently to monitor the driver. But who knows.
GauntletWizard
I intentionally bought a used car with only a 3G network connection, knowing (at the time, almost 3 years ago) it would soon shut down in the US. I smiled at the "Your OnStar will soon stop working" messages, and intend to hold onto it for a good long time.
timeon
> Some cars like a Teslas have very normal cameras filming interior.
Wow is this real?
ninalanyon
Cars that offer driver assistance have to have some way of determining that the driver is awake and paying attention. One way is to monitor steering wheel input which is how older Teslas do it another is to use a camera to monitor the driver's face and that is done by several brands not just new Teslas.
lnsru
Absolutely! As well as 1€ camera covers from AliExpress.
miohtama
Yes a mobile as a government tracking device in your car is mandated in Europe.
avh02
my understanding is for things like eCall that the phone only gets activated when it's actually needed (i.e: an emergency), but never found a check/analysis of this on cars (though i only looked for 2 mins when i checked)
almostnormal
Not yet. But soon, when cars are required to transmit data about emissions.
What can be done about this as a consumer looking to buy a new car?
I'll be in the market for a new car in the next few years but I do not want to buy anything that tracks or collects ANY data about me.I was assuming that buying a cheap non-electric car would offer some protection but I'd love to know more.