this post was submitted on 23 Nov 2024
557 points (98.9% liked)

Technology

59708 readers
1881 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

New research reveals serious privacy flaws in the data practices of new internet connected cars in Australia. It’s yet another reason why we need urgent reform of privacy laws.

Modern cars are increasingly equipped with internet-enabled features. Your “connected car” might automatically detect an accident and call emergency services, or send a notification if a child is left in the back seat.

But connected cars are also sophisticated surveillance devices. The data they collect can create a highly revealing picture of each driver. If this data is misused, it can result in privacy and security threats.

A report published today analysed the privacy terms from 15 of the most popular new car brands that sell connected cars in Australia.

This analysis uncovered concerning practices. There are enormous obstacles for consumers who want to find and understand the privacy terms. Some brands also make inaccurate claims that certain information is not “personal information”, implying the Privacy Act doesn’t apply to that data.

Some companies are also repurposing personal information for “marketing” or “research”, and sharing data with third parties.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 9 points 6 days ago (1 children)

Please describe this zero-to-little effort attack chain.

[–] [email protected] 22 points 6 days ago (1 children)

You go to a data broker that sells "anonymized" location data and give them money and a region of interest. Done.

[–] sugar_in_your_tea 6 points 6 days ago (2 children)

Yup. Police do that, and I'm guessing it wouldn't be too hard if you're persistent (claim to be a private investigator or something).

[–] [email protected] 5 points 6 days ago* (last edited 6 days ago) (2 children)

Found it (In german but we have translators these days...) https://netzpolitik.org/2024/databroker-files-firma-verschleudert-36-milliarden-standorte-von-menschen-in-deutschland/

This is about phone location data, but i dont see any reason why cars would be any different, they create less privacy sensitive data than phones in a way.

The people that wrote this article actually got a huge amount of slightly older data for free just as a sample. But this is the scale these data brokers operate at:

The data itself comes from the US company Datastream Group. It offers such location data on a monthly subscription basis. According to the offer, it comes from up to 163 countries and is updated hourly.

You can buy huge amounts of location data for anyone anywhere that uses a standard google or apple phone. Im not sure if you even need to have some random app, like socials or anything with ads in it, installed that leaks this data or if its just google and apple themselves that sell it. All you need is a single identifying point of confirmed time+location for your target and then you can reconstruct their entire movement from that.

This has very obvious and less obvious horrible implications. Things like tracking victims of abuse, finding out peoples home address after meeting them once, tracking military personnel movement, tracking people going to sex related locations, prisons, abortion clinics, endless potential for abuse.

[–] sugar_in_your_tea 5 points 6 days ago

Awesome!

The difference, though, is I can turn off my phone if I want to, but I can't really turn off the car tracking unless I tear apart the car to remove the antenna (or at least the power). Some cars make it easy in the fuse box, but others make it a PIA.

I'm planning to switch to a VOIP number and only use my SIM for data and SMS 2FA. Then I can turn off/remove the SIM as needed. Once I don't need SMS anymore, I can get a data only SIM and hopefully hide among the various iPads and smart watches.

I wish I could trust my carrier, but articles like the one you mentioned remind me that I really can't.

[–] [email protected] 1 points 6 days ago (1 children)

I would mention de-googling your phone but it doesn't stop HW backdoors. would flip phones be effected? what the hell do we do?

[–] [email protected] 1 points 6 days ago* (last edited 6 days ago)

HW backdoors are probably not something that brokers like these leverage so its a different topic. They just like making easy money from ad tracking systems, they dont wanna work hard and fuck around with zero days.

If you have physical security worries (government trying to kill you) then you either need graphene on a pixel and hope there are no RCE HW backdoors or something else entirely or no phone.

But the "tracking by default" in normal phones, with data being easily available is an issue that affects almost everyone not just high risk individuals.

[–] [email protected] 4 points 6 days ago

claim to be a private investigator or something

Oh no absolutely not necessary, this is commercially for sale data that anyone can buy as long as you dont make it obvious that you are up to no good. I will see if i can find the last article i saw about someone testing this themselves.